Unfortunately I've found that not every source management tool understands SSH signatures and using them may have your commits end up being shown as signed by an untrusted key.

On Linux, GPG supports TPM2, but I'm not sure if that also works on macOS.