The discussion in the "Re: [git patches] libata updates, GPG signed (but see admin notes)" thread on git mailing list is ongoing, but partial solutions that actually got implemented and have good chance to be accepted are:
* Signing commits (signature is hidden in commit object header, and stripped e.g. on rebase or amend)
* Puling signed tags, with merge and editing of its commit message enforced, and with saving the whole tag in commit object header for merge commit. Using "git pull <URL> <tag>" won't result in creating a new tag reference.