Add CI job on push to verify that all commits are signed directly or by tag

[ben-grande]

Current problem (if any)

When merging code from others, it would be nice to automatically create a signed tag with my signature.

Proposed solution

Evaluate marmarek's signature-checker and the hooks post-merge (sign with tag if commit is not signed by trusted key) and pre-push (block push if not everything is signed).

Criteria:

• The script must be able to run locally, just like almost every other CI job
• Without internet connection, keys must be present in the repository
• It must prevent pushes on the client side
• Must fail CI on the server side indicating the error

The value to a user, and who that user might be

• Developers: maintainer signs contributor commit for users to only require verifying one fingerprint
• Users: can be sure of authenticity

[ben-grande]

pre-receive hooks seems to be only possible with Github Enterprise, github CI was not tested yet.

post-merge or post-commit were not implemented "yet".