Some kind of key fetch/validation mechanism would be ideal, but PGP signatures should be handled a bit better regardless to prevent the UX impairment they currently cause. I've attached a screenshot, and messages attached to signed commits can't be viewed in list mode - you have to navigate to the commit page to see the text after the PGP block (see "removed favicon" in the second screenshot).
This can be recreated by having GPG installed locally and running "git commit -S ....".
Github appears to have hacked around this by discarding the PGP block when showing comments - eg. it would show "removed favicon" in commit list view rather than "gpgsig -----BEGIN PGP SIGNATURE-----".