You could have them do it, but it's just going deeper down the rabbit hole. The eventual question is "who/what do you trust?" - maybe it was the git server that got pwned?
A PGP-signed commit with a key generated on a smartcard (and never exposed) is a little better, but ... Someone pwned RSA before, and I'd be surprised if Gemalto and Yubico (just two examples) don't have some Three-Letter-Agency backdoor (and .. I'm sure those TLAs have equipment that can read modern smartcards).
A PGP-signed commit with a key generated on a smartcard (and never exposed) is a little better, but ... Someone pwned RSA before, and I'd be surprised if Gemalto and Yubico (just two examples) don't have some Three-Letter-Agency backdoor (and .. I'm sure those TLAs have equipment that can read modern smartcards).