Unless they have access to your private key then there’s no way they can sign code as you.
Alternatively yes, access to your password (and 2fa) would allow them the ability to add an ssh private key for you.
But that’s irrelevant because the issue at hand is that I can make a commit to a repo that I have access to, but using your username, and there’s no way to verify it wasn’t you (actually there is but it requires some assumptions and is also dependent on the git hosting infrastructure)
However when you use signing, key ‘A’ may be able to access a repo but can’t sign commits as key ‘B’, so you can’t have the blame dropped on you for malicious commits (again, unless they also compromised your account/key)
Unless they have access to your private key then there’s no way they can sign code as you.
Alternatively yes, access to your password (and 2fa) would allow them the ability to add an ssh private key for you.
But that’s irrelevant because the issue at hand is that I can make a commit to a repo that I have access to, but using your username, and there’s no way to verify it wasn’t you (actually there is but it requires some assumptions and is also dependent on the git hosting infrastructure)
However when you use signing, key ‘A’ may be able to access a repo but can’t sign commits as key ‘B’, so you can’t have the blame dropped on you for malicious commits (again, unless they also compromised your account/key)