FINERACT-2177: Add Git signed commits verification

[DeathGun44]

Description

This PR addresses FINERACT-2177 by adding a workflow to enforce Git Commit Signing.

The Implementation

• Portable Logic: Instead of relying on vendor-specific GitHub Actions, the logic is encapsulated in scripts/verify-signed-commits.sh. This ensures the check can be run locally by any developer (./scripts/verify-signed-commits.sh) and is CI-agnostic.
• Robust Verification: The script handles CI environments where public keys are missing (accepting U status) while correctly flagging unsigned commits (N).
• UX: Uses GitHub Annotations (::error) to highlight specific problematic commits in the PR file view.

⚠️ Strict Enforcement Note

This PR includes the --strict flag, which will fail the build for unsigned commits.

• Why: "Warn-only" checks are often ignored. Security requires enforcement.
• Mitigation: If this is deemed too disruptive for existing open PRs, I can remove the --strict flag for the initial merge to allow a grace period.

Checklist

Please make sure these boxes are checked before submitting your pull request - thanks!

• Write the commit message as per our guidelines
• Acknowledge that we will not review PRs that are not passing the build ("green") - it is your responsibility to get a proposed PR to pass the build, not primarily the project's maintainers.
• Create/update unit or integration tests for verifying the changes made.
• Follow our coding conventions.
• Add required Swagger annotation and update API documentation at fineract-provider/src/main/resources/static/legacy-docs/apiLive.htm with details of any API changes
• This PR must not be a "code dump". Large changes can be made in a branch, with assistance. Ask for help on the developer mailing list.

[meonkeys]

Please instead augment/update and refer to https://fineract.apache.org/docs/current/#_gpg_2. That's a more up to date key generation guide using elliptic curve encryption instead of RSA.

[DeathGun44]

Done!