The “Atlassian Developers” site has a summary of interesting features in the recent Git 2.2.0 release, including signed pushes. “This is an important step in preventing man-in-the-middle attacks and any other unauthorized updates to your repository’s refs. git push has learnt the --signed flag which applies your GPG signature to a “push certificate” sent over the wire during the push invocation. On the server-side, git receive-pack (the command that handles incoming git pushes) has learnt to verify GPG-signed push certificates. Failed verifications can be used to reject pushes and those that succeed can be logged in a file to provide an audit log of when and who pushed particular ref updates or objects to your git server.“
Read more at LWN