Consider that I can pull a branch from someone else's repo (even if that repo is not on GitHub), merge it into my own fork of something, and then push all of that to GitHub.

All of the commits in that branch I pulled, regardless of who committed them (not me, presumably) should still be attributed to their original authors, and that's what will happen on the fork I push to GH.

This is fundamentally necessary to how the distributed nature of git works. If you want to assure others that commits really came from you, you need to sign your commits. But so few people do that, so the default is just to trust that commits are from who they say they are.

Perhaps GitHub could have a feature whereby you could toggle a setting so they won't link a commit to your GH user account unless it's signed by you. That still comes with its own problems (like say you submit a PR to some project, but the maintainer rebases master onto your branch before merging, which will kill the signatures).

But still, signing every commit is not really necessary. I personally only sign release tags, which implicitly cover all commits leading up to those releases.