Thanks for reporting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972273 in 2020. I think this would be a useful feature.
I have in my ~/.gitconfig: [tag] gpgsign = true [commit] gpgsign = true Thus all my tags are automatically signed. But it would be valuable for Debian as a whole if git-buildpackage enforced signing of the upstream/<version> tags. Would you like to work on it a bit more and submit it at https://salsa.debian.org/agx/git-buildpackage/-/merge_requests?
