Who signed this?

A private key signs a message; the matching public key verifies it — anyone can confirm the message is untouched and that you signed it. In mkit this isn't optional: every commit carries an Ed25519 signature, where git treats signing as a GPG add-on. Generate a key, sign a message, then flip a single character and watch the verifier reject it.