Support hardware-backed SSH commit signing (FIDO2, PIV, ssh-agent)

[swork9]

Hi there! In our "fun" era of supply-chain attacks, a hardware key is becoming more of a necessity than a luxury - so I implemented hardware-backed SSH commit signing by shelling out to ssh-keygen directly. It's maybe not the most elegant solution, but it's reliable and reuses the OpenSSH tooling users already trust - which is the same direction JetBrains is taking too (switching to OpenSSH): https://youtrack.jetbrains.com/issue/IJPL-143

For keys that can't be signed in-process, gitui now delegates to "ssh-keygen -Y sign" (respecting gpg.ssh.program) - covering FIDO2, PIV, and agent-backed keys - while keeping the fast in-process path for ordinary on-disk keys, and showing a "touch your security key" hint before the blocking call

I followed the checklist:

• I added unittests - no; they would require a physical hardware key to run, so I'm not sure that's a good idea
• I ran make check without errors
• I tested the overall application - this PR was committed/signed/pushed via gitui and Nitrokey
• I added an appropriate item to the changelog