I was also told that having a signature on every commit makes pulling the entire repo take forever (because it has to validate every commit). Not sure how true that is.
While I don't know how bad the performance would be on huge repos, there is of course an option to turn it on or off (--[no-]verify-signatures.) which I believe is off by default.
