"Github supports GnuPG signatures" does not contradict the statement "GnuPG is trash". I will not engage further, it's obvious you are not interested in honest discussion of the technical merits.
The issue is mostly with git itself, e.g. take a look at
git cat-file commit HEAD
tree <tree-hash>
parent <parent-hash>
author <author-name> <author-email> <timestamp>
committer <committer-name> <committer-email> <timestamp>
gpgsig -----BEGIN PGP SIGNATURE-----
<ascii-armored RFC9580 signature>
-----END PGP SIGNATURE-----
<commit message>
You can add a patch to git to support more signature types than just OpenPGP. You may then be able to move mountains and get GitHub/others to join in the validation. Finally, if you can find bugs/exploits in GnuPG, you should report them and you will definitely get credit and recognition for them. They are not trivial to find.