> However, gpg signing release tag commits is dead simple and would
> take a total of maybe 10 minutes of work over the lifetime of the project
> (please correct me if I'm wrong).

I second this statement. GPG signing sounds good to me. We should do this.

> I know that https can be a bit tedious to setup so I am not asking for it
> (though I do think it would be great if it was enabled on the site in some
> fashion).

HTTPS is not so tedious these days with Let's Encrypt.

https://letsencrypt.org/

We should set up HTTPS as well.