I haven't seen anything about requirements for gpg. Also the ux of it is not so great, so it's easy to just not have a signature without causing too much suspicion. Would be a much easier attack than what Jian Tan pulled off. Just wait for some contributor to go on holiday and send a malicious v2 patch. There are so many patches in the linux kernel processed that no one wouldn't notice.