An idea that doesn't require signing is tracking commits internally.
If you push a commit made by you, Github can tag that as "trusted" (since you, the GH user, are vouching for your own commits). Then anyone who pulls them into their repo (even offline) and pushes it to their GH account would still have those commits tagged, since GH could match the hash with the ones it already knew about.
For the most part, this would solve the problem, since people usually upload the commits to their own GH fork and then issue a PR.
If you push a commit made by you, Github can tag that as "trusted" (since you, the GH user, are vouching for your own commits). Then anyone who pulls them into their repo (even offline) and pushes it to their GH account would still have those commits tagged, since GH could match the hash with the ones it already knew about.
For the most part, this would solve the problem, since people usually upload the commits to their own GH fork and then issue a PR.