Clarify info on commit email addresses

What does this MR do?

Clarifies that SSH commit signature verification requires the committer email to match a verified email address on the user's GitLab account.

User feedback:

It is not clear at all how gitlab.com decides which commit email addresses are accepted for signed commits (similar to gpg.ssh.allowedSignersFile on a local machine). This page makes it seem as if adding the public key to gitlab.com is sufficient to verify all commits signed with the private key, irrespective of the commit email (and this would make sense, since everyone can set every email address for commits). However, only the Gitlab account email(s) seem(s) to be accepted.

The docs state that GitLab uses the SSH public keys associated with your GitLab account to cryptographically verify the commit signature, which implies that adding the key was sufficient. However, verification also requires the committer email in git config user.email to match a verified email on the account (the same requirement documented for GPG signing).

Verification logic

SSH verification (lib/gitlab/ssh/signature.rb):

def committer?
  # Lookup by email because users can push verified commits that were made
  # by someone else. For example: Doing a rebase.
  committer = User.find_by_any_email(committer_email)
  committer && signed_by_key.user == committer
end

def signed_by_user_email_verified?
  signed_by_key.user.verified_emails.include?(committer_email)
end

GPG verification (lib/gitlab/gpg/signature.rb):

if gpg_key.verified_and_belongs_to_email?(email)
  :verified
elsif gpg_key.user.all_emails.include?(email)
  :same_user_different_email
else
  :other_user
end

Both check if the committer email matches the signing user's verified emails. The key difference is that SSH requires the email to be verified (verified_emails), while GPG allows unverified emails but marks them as same_user_different_email instead of fully verified.

Related issues

• https://gitlab.com/gitlab-org/gitlab/-/issues/584734+

Author's checklist

• Optional. Consider taking the GitLab Technical Writing Fundamentals course.
• Follow the:
  • Documentation process.
  • Documentation guidelines.
  • Style Guide.
• If you're adding a new page, add the product availability details under the H1 topic title.
• If you are a GitLab team member, request a review based on:
  • The documentation page's metadata.
  • The associated Technical Writer.

Reviewer's checklist

Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on Documentation Guidelines and the Style Guide.

If you aren't sure which tech writer to ask, use roulette or ask in the #docs Slack channel.

• If the content requires it, ensure the information is reviewed by a subject matter expert.
• Technical writer review items:
  • Ensure docs metadata is present and up-to-date.
  • Ensure the appropriate labels are added to this MR.
  • Ensure a release milestone is set.
  • If relevant to this MR, ensure content topic type principles are in use, including:
    • The headings should be something you'd do a Google search for. Instead of Default behavior, say something like Default behavior when you close an issue.
    • The headings (other than the page title) should be active. Instead of Configuring GDK, say something like Configure GDK.
    • Any task steps should be written as a numbered list.
    • If the content still needs to be edited for topic types, you can create a follow-up issue with the docs-technical-debt label.
• Review by assigned maintainer, who can always request/require the reviews above. Maintainer's review can occur before or after a technical writer review.