Draft: Use author email to check for mailmapped x509 commits

What does this MR do and why?

There is a problem with how we are handling x509 signatures and mailmapped commits. Note, this is still behind a feature flag which has not been rolled out yet.

Currently if a commit is mailmapped (committer email changed to another email) we check that the new email address is one of those present in the signatures x509 certificate.

But we do not check if the email is verified to the user who made the original commit.

To fix this we:

1. Add an author_email column to the x509_commit_signatures table to store and track the un mapped email address which pushed the commit.
2. Update the cache for verified x509 signatures to add the author email
3. Consider both the X.509 certificate emails verified emails AND the author's verified emails when determining if a commit signature is still 'verified'.

How to set up and validate locally

1. Setup x509 commit signing on GDK and create a x509 certificate and signed commit
2. Push the signed commit to a new project. Notice that the commit has a verified signature badge.
3. Create a mailmap file and map the committer email to another email (test@example.com) which is in the x509 certificate but not verified to the user which pushed the commit.
4. Notice that we now display an orange verified label for previously verified commits as the new email address is in the certificate but not verified in Gitlab.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.