I know I can sign a tag when creating it:
git tag -s v1.5 -m 'my signed 1.5 tag'
But what if we want an approval process for code review/promotion whereby multiple people must all sign a tag before an official release is made public?
Is it possible to sign a tag after it's been created? How would multiple signatories add their signature to an existing tag?
Is it possible to sign a tag after it's been created?
No—or rather, not with anything built in to Git. (Nor can Git check multiple separate PGP signatures.)
The most straightforward way to do this with the existing tools would be to create one signed annotated tag per person, all pointing to the same commit. You can then verify each signature individually, and verify that the commit that all the signatures approve is one particular single commit.
(There's no theoretical reason you couldn't have multiple signatures inside the data for an annotated tag, although every time you add a new signature you'd be generating an entire new tag.)