I don’t think we can get any security advantage from this. It’s a security feature provided by a third-party server. “Commit is signed” is meaningless because creation of an arbitrary signing key is cheap. All Kicksecure / Whonix git commits and tags are signed. Those by contributors might not be signed but I have to carefully review, merge and sign these. Whenever users download source code, they can end-to-end verify it against my signing key.
It’s more like policy tools useful to enforce policies for big organizations.
You’d have to suggest a specific threat model where and how some specific setting would help.