Currently huggingface GPG require all emails to be verified ones and does not have an exception for the user unique noreply email (<username>@users.noreply.huggingface.co> like github do. This means if someone wants to sign their commits, they are now obligated to “leak” one of their account verified email.
My proposition is that @users.noreply.huggingface.co get added as an exception that would make the GPG commits appear as valid. This is what is also done on Github.