`git tag -s` is all that's needed. The primary problem in your horror story is that you GPG signed a commit with a tag when you shouldn't have. When you tag with GPG, you are saying you do trust the history. You didn't review the commits you were signing with the tag and that's were you made your mistake.
Ultimately a human being has to be responsible for reviewing code. Once it's reviewed, you can tag and sign it. No GPG signature is going to make up for not reviewing your code.
Linus himself is against GPG signing commits.
http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-t...
Ultimately a human being has to be responsible for reviewing code. Once it's reviewed, you can tag and sign it. No GPG signature is going to make up for not reviewing your code.