Assuming that the machine of a maintainer is compromised, it is possible to have the merge commit modified before sign and push.

As we already have the requirement that "everyone without exception contributes patch proposals using pull requests." [1], I'd propose that we add the requirement that a pull request can only be merged when there is no merge conflict to be solved. Thus, verify-commits could not only check the signature of every merge commit but also fail when the merge commit modifies more code than the branch did that is about to be merged.