Thanks for bringing up signing. That's indeed another source of privacy leak. I'll have to think about how to approach this :)

I think what we need is unattended signing, or probably more likely, batch signing (sign once no matter how many commits) 🤔