By itself, a signature on a commit doesn't mean much. Anyone can generate a key, and create a signature. Signing commits is useful when the signatures are checked against a policy. Sequoia git, https://gitlab.com/sequoia-pgp/sequoia-git), specifies a set of semantics, defines a policy language, and provides a set of tools to manage a policy file, and authenticate commits. The authenticate-commits action checks that the commits in a pull request are signed, and authorized according to the project's policy.