Ensure all commits signed by contributor PGP keys from Keybase.io

[heri16]

Description

All commits pushed to GitHub should be cryptographic signed by the developer PGP keys that are published on Keybase.io .

This should apply to all contributors as standard Git commits are inherently weak against identity spoofing / impersonation.

The Heartbleed Openssl incident teaches us that it would be bad if we could not trace exactly who made the changes that led to the vulnerability.

See: https://help.github.com/articles/signing-commits/

• Make all contributors signup for Keybase.io and completed the attestation steps
• Create Setup guide for automatic commit signing with git
• Retroactively sign all past commits

[heri16]

Decided to use codesign feature of https://github.com/kryptco/kr for better security of PGP keys and easier developer setup.