GPG/SSH commit signature verification

[coopernetes]

Is your feature request related to a problem? Please describe.

Currently, git-proxy has no mechanism to verify that commits are cryptographically signed. Organizations may wish to mandate that all commits be signed with GPG or SSH keys to ensure authenticity and non-repudiation. This can be a simple access control check where keys are only signed for approved committers.

The commit parsing logic already extracts the gpgsig header from commit objects (visible in parsePush), but this data is not validated.

Describe the solution you'd like

A new processor (checkCommitSignatures or similar) that:

1. Requires commits to be signed - Block unsigned commits
2. Verifies signatures are valid - Use gpg --verify or equivalent to validate the signature
3. Optionally validates against a trusted keyring - Only accept signatures from pre-approved keys

example configuration

{
  "commitConfig": {
    "signature": {
      "required": true,
      "verifySignature": true,
      "trustedKeys": [
        "ABCD1234EFGH5678",
        "fingerprint:SHA256:..."
      ],
      "allowSSHSignatures": true
    }
  }
}

Additional context

Related: #62