🤷 How to properly GPG-sign GitHub App (bot) created commits

Hi,

So I noticed that https://github.blog/2019-08-15-commit-signing-support-for-bots-and-other-github-apps/ and https://docs.github.com/en/github/authenticating-to-github/about-commit-signature-verification#signature-verification-for-bots mention

Organizations and GitHub Apps that require commit signing can use bots to sign commits. If a commit or tag has a bot signature that is cryptographically verifiable, GitHub marks the commit or tag as verified.

Signature verification for bots will only work if the request is verified and authenticated as the GitHub App or bot and contains no custom author information, custom committer information, and no custom signature information, such as Commits API.

But while it certainly tries to answer the question I have, it only makes it more confusing.

Let’s say that I have a PGP key that I want to use. Since it’s a GitHub App and not a regular user account, there’s no settings page where I can add it on GitHub.

What happens if I use it and just git push using a GitHub App Installation access token?
Will GitHub show that commit as verified? Is that it?

I tried looking into the dependabot source @ https://github.com/dependabot/dependabot-core/blob/7b4c96f3723652d3b81d853e09f126758ba44490/common/lib/dependabot/pull_request_creator/commit_signer.rb#L30-L39 in order to get some clarity.

It appears that the GPG key email should match an email in the author field of the commit.

Also, the wording of the docs makes me question what metadata I can set in the commit. It says that there should be no custom committer/author/signature but what does this even mean? What is non-custom in this case? I cannot have a commit without a committer field, can I? And what does this have to do with Commits API, anyway?

The docs mention that the signature should be cryptographically verifiable which is kinda the whole point of having PGP signatures. Does that wording mean that the signature should match the commit not taking into account that it’s not added as trusted anywhere?

It’d be great to have a full annotated example of all aspects of signing bot-created commits.