I have created a new gpg key (I have lost my old one somewhere) and made that git tag. But thinking logically I can’t understand the policy of requiring signed tags. If an attacker is able to commit code using the ssh account, he is able to create bogus gpg keys. Unless I am incredibly diligent in maintaining my gpg keys, the signatures are close to worthless. Making a gpg key doesn’t even require one to own the email account. At best the whole setup gives some false sense of security. Unless you are willing to force some draconian measure and only allow trusted signatures, then the whole thing is nonsense. Actually the whole thing is nonsense to begin with. I understand the idea of allowing someone to “sign” a tag in a repository (I understand it, but I think it has little actual utility). But requiring signatures (and thus generating a flood of bogus signatures in the repository) is stupid.
This is the general problem with computer security. Vast majority of users / software ignores security and then a small percentage of users overdo it with paranoia. In fact, this paranoia is usually so great that it makes proper secure procedures too hard for bother for the vast majority of users, hence the system has built in feedback.
Example: If crappy (but easy to set up and use) encryption is available, it will likely result in higher, not lower security. For example: setting up an ssl using webserver is a hassle. Hence, many passwords are sent in the clear (because they are for websites with little interest in high security). The problem is that people hate remembering passwords, hence same passwords are used as for websites which use encryption, and voila. If setting up simple encryption on a webserver would be as simple as tuning parameters, it could be on by default, and most web traffic would be encrypted. You would not have authentication, but it is far harder to impersonate a site, than it is to sniff for passwords sent in the clear. By tying encryption and authentication together, the bar was raised high enough that encryption is rare.
Digitally signed git tags are even less useful. I would bet most people making such tags have unverified digital signatures, simply generating some warm feelings among the paranoid crowd.