@bhaugen an nice tool to have would be a way to generate a gpg key pair from your ssb key pair.
(And vice-versa.)

Then you could gpg sign git tags with your ssb key and push to git-ssb, and ssb users could verify your signature using git's gpg integration.

However, anyone can overwrite any tag in git-ssb, which allows a DOS attack.

And people are not exactly great at remembering to check signatures either, especially given git's current interfaces for it.