Gitea supports automatically signing commits it generates (such as when merging pull requests, or editing files through the web editor). Sadly there is no documentation on how to actually configure this, besides vague references that it is left up to the server administrator to achieve.
Secure key management is a topic fraught with complexity and trade off decisions, and the Gitea development team holds a (sensible) position that it is preferable to give no advice than it is to give bad advice.
A position that I, as an internet rando, am absolutely not bound by, so here's what I did!
Edit 2024-08-19: these exact steps also work for Forejo! Just use
/var/lib/forgejo
instead of /var/lib/gitea
for all instructions below