Signing all commits has significant value when you do it universally, and all the more when you have CI that expects it.
Eliminate CI as an attack surface
Once you have a CI system that rejects any unsigned commits, you avoid an attacker with git access being able to explore or execute code on these systems at all.
Short of enforced signing, anyone can commit with the email of anyone else. A typical VCS like Git has no way to protect against this.
If someone submits 5 very similar PRs, one might review the first one in detail then not inspect the rest quite as close, because humans. By contrast however if 4 of the 5 are signed, suddenly the outlier is suspect, could be from someone else entirely, and will get additional scrutiny.
A dishonest or disgruntled employee could easily rewrite history to make a mistake appear to have been committed by someone else, instead of having to come to terms with it.
When engineers all sign their commits both at work and in open source projects, it avoids reputation hijacking where someone might commit malicious code to a repo with a naive maintainer hoping they will blindly trust your name without careful inspection.
Only signing tags implies you are approving the whole history
By signing only tags you place the full burden of reviewing all history and every line of code between releases on the individual cutting a release. In a large codebase this is an unreasonable expectation.
Having signing and review at every PR between releases distributes responsibility more fairly. When you sign a commit or sign a merge commit after a PR you are signing only that one chunk of code or subset of changes and creating a smaller set of checks and balances through the release cycle.
Proof of code-review
Once a merge to master is done, CI should fail to build unless the merge commit itself at HEAD is signed, and signed by someone different than the authors of the included commits.
Adjust your ~/.gitconfig to be similar to the following:
[user] email = firstname.lastname@example.org name = John H. Doe signingKey = 6B61ECD76088748C70590D55E90A401336C8AAA9 # get from 'gpg --list-keys --with-colons' [commit] gpgSign = true [gpg] program = gpg2