Should I keep gitconfig's "signingKey" private?
No.
The secret key is not in git's configs but in the GnuPG's "keyring", which is usually some file in your HOME. In theory it can also be in more secure locations, like hardware token, but I don't know much about it.
The value in git config only instructs gpg which secret key to select.
I'm not a security expert but I don't think that your signingkey must be kept private:
- .gitconfig file doesn't contain any critical data (like private keys), hence many people share it on their GitHub dotfiles repository, including their signing key.
- If it were to be kept private, GitHub wouldn't show it publicly when you click on "verified" button in a signed commit: