I'd say that in general it verifies it with the email, but it depends.
I just did a test with four commits with a signature matching both on user and email, only on email, only on user, and in none of them and:
From GitHub, it validates signatures with the email registered in the commit: If the signature matches the key registered for the GitHub user with that email address, it says "Verified" in a green box. If it doesn't , it says "Unverified" in a yellow box.
So GitHub "Verified" two commits: the one that matches all the fields and the one that only matches the email.
From git CLI, it depends on your configuration.
If you do a `git log --show-signature` at first it will complain with `error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification`. You need to set up a file with your trusted ssh signatures.
Once you set that up, it will verify ALL correctly signed commits, even if they don't match the commit email address. Seems like the signature and the commit can have different emails, so to speak: "commited by fake@email.com and signed by real@email.com. The signature is valid by real@email.com".
Example I did, changing the email addresses:
git show --show-signature 11906e1
commit 11906e14155ae08b7e7e23f26aa9c04913ade5dd
Good "git" signature for good@email.com with ED25519 key SHA256:9uU6+7pNNzwVEKTecpJE4Bmm2WXaqZXMZRLe9rJZ0ZY
Author: fake name <fake@email.com>
Date: Mon Nov 25 13:36:28 2024 +0100