The private key that I would hypothetically sign commits with? Then signing commits is compromised too. I’m not sure what point you’re making.
On the other hand if I don’t sign my commits then any signed commits (from my stolen private key (SSH)) look out of place. Like it’s weird that all these malicious commits are also signed, even though I have never signed commits.