Add a guide on how to set up Git commit signing

[stefaniuk]

Description

Signing Git commits is a crucial practice. Therefore, we're adding a guide on how to set it up. This ensures the correct web of trust has been established for the distributed version control management.

Type of changes

• [ ] Refactoring (non-breaking change)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would change existing functionality)
• [ ] Bug fix (non-breaking change which fixes an issue)

Checklist

• [x] I am familiar with the contributing guidelines
• [x] I have followed the code style of the project
• [ ] I have added tests to cover my changes
• [x] I have updated the documentation accordingly
• [ ] This PR is a result of pair or mob programming

---

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• [x] I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

[regularfry]

Would we be happy with SSH keys instead of GPG keys? SSH key signing is much simpler to set up - I'm guessing that most would already have an SSH key attached to their github account that would work, and while GPG offers revocation, in practice we get all the same benefits by just rotating the SSH key.

[stefaniuk]

@regularfry Good point, thanks! I've added a note indicating that both methods, GPG and SSH, are acceptable. The former is preferred because it has been around for many years, whereas the latter was introduced to Git in November 2021 and was only adopted by GitHub a year ago.

[stefaniuk]

@regularfry thanks for feedback and review, merging...