2.3.7 Sign all the commits

Related to the audit.

Garden Party instances can sync data from a public repository owned by Garden Party maintainers.

To improve trustfulness around this unique source of information, we recommend allowing only GPG signed commits from trusted developers.

This way, the data source content authenticity can be continuously validated by any instance maintainer before pulling any update.