GPG signing in git is possibly cumbersome, partly because you can only sign a tag, and I don't think we want to be creating tags for every pull request (though it they don't propagate by default that might be OK).
All you really need to sign is the email requesting the 'pull' and make sure the hash of the commit is in that email and easy for Linus to either use directly or check.
Unfortunately I cannot ask Linus to
git pull git://myhost/path hash-tag-goes-here
because git doesn't want a hash-tag, it wants a refspec.
However if git-pull were changed to accept that, and git-request-pull were changed to output exactly the right 'git pull' command, then Linus could just verify the signature on the email (which I hope is email client is up to!) and use the command that is in it. Then it doesn't matter how secure the hosting provider is - if the pull succeeds, it can be trusted as much as the person who signed the email.