Another thing I tried out with git was signing tags with gpg keys. Things would have been a lot easier if I knew more of git or gpg - I'm not yet too familiar with either. Obviously I have used encryption with emails before, but since this has been with Outlook, the whole thing works a little bit differently (the interface for key ring handling is in Outlook).
So here's how you can do it:
1. The user creates a gpg key with gpg --gen-key.
2. Then he exports the public key with gpg --armor --export firstname.lastname@example.org > mypk
3. He sends the public key file to you for you to save it in the git user's keyring (assuming you are using gitosis). You then import it with gpg --import mypk. It might also be a good idea to sign this key with gpg --edit-key email@example.com.
4. Next you need to add the verification somewhere in the git hooks, pre-receive might be the best bet. Checking the validity is done with git tag -v "tag_id". The code could be something like (I haven't done this yet myself):
m/(.+) (.+) refs\/tags\/(.+)/;
my $ret = open(FH, "-|", "git-tag", "-v", $3);
# Check that output shows the signature is good
And hey presto! You have just made sure that your system only accepts tags signed by people you have accepted.