My issue with S/MIME is that (unless you use GitHub's smimesign) I cannot use nikolay@users.noreply.github.com fake email - my actual Actalis S/MIME certificate reveals my email, so, I can't use it to sign with git. I wish the fake GitHub email had a feature to show you the email received in the last 15 minutes at the no-reply email!
Balancing privacy vs transparency is definitely something that's tricky! You may be interested in https://blog.sigstore.dev/privacy-in-sigstore-57cac15af0d0 which goes into some of the background of why email addresses are used and some of the things we're thinking about in this area for Sigstore.
Disclosure: I'm the creator of gitsign and wrote this blog post.
