Let me start off by saying that I have a pretty good suspicion that it is not silly AT ALL to sign your commits and tags but I need help understanding how it works.
With that being said, if the whole reason of signing is to verify that the commit/tag was done by you (since you can impersonate anybody on Git). What prevents a malicious user from creating a secret key using my information and signing the commit with it?
Thanks michaelmichael. Your link about web of trust pointed me to the right direction.
For anyone that may be asking this same question: the answer is simply that your key is not really trustworthy if you do not have signatures of others (established web of trust).
These signatures imply that the person who signed your key verified your identity before doing so (maybe the person knows you or you presented valid identification, etc...). These signatures may not mean anything to the person who is trying to validate your identity unless you have a person that they trust who has already signed your key. In the event that you do not have "people in common", you would have to prove your identity by some other means and get them to sign your key so its integrity increases.
Good reads (they helped me understand PGP and GPG better):
If you are interested in the key signing process, read this: