I saw "(github.com)" next to the article title and thought that maybe Github was spear-heading some sort of effort to enable folks to more easily set up PGP and sign their commits. Alas.

That said, +1 to calling out that we ought to be signing and verifying git-commits.

If we push verifying, then signing is bound to follow. It feels like the (small) push is on signing currently.