Signed commits created via REST API should not have author fields customized

Overview

When a commit is created via Commits API: https://docs.gitlab.com/ee/api/commits.html#create-a-commit-with-multiple-files-and-actions, it's created via Gitaly, i.e considered to be a web commit. Currently, such commits are signed and the following message is displayed:

We mentioned that the commit is created in UI but it was created via API which is not the same.

Problem

The fact that Author/Committer field cannot be changed via UI makes signing web commits trustworthy. However, author_name and author_email can be specified in the API request and make impersonation possible.

https://staging.gitlab.com/source-code-management-test-group/commit-signing-test/-/commit/b3fa0ce356ab8e68b39fba72a88625a789e64261

Solution

1. Add a new field to Commits API (sign or sign_commits)
2. If commit signing is not configured for the instance, it doesn't have any effect
3. If commit signing is enabled, then the commits created via Commits API are signed
4. If author name and email are specified, then Commits API returns validation error: these fields cannot be specified when the field sign equals true
5. A user has an option to pass sign: false along with author fields and create a commit without signing but with setting the author fields
6. If an organization uses reject unsigned commits and the organization has commit signing enabled for commits made by Gitlab, the unsigned commits created via Commits API are rejected.