This repo includes extensions and workflow examples for being able to attach an arbitrary number of GPG signatures to a given commit or tag.
Git already supports commit signing. These tools are intended to compliment that support by allowing a code reviewer and/or release engineer attach their signatures as well.
A CI or build system that enforces m-of-n signature verification on git tags to be released offers strong protection against tampering of the repository by a single bad actor or compromised system.
This approach builds entirely on the git-notes interface which allows the attachment of arbitrary data to an existing commit.