Only base your branches off signed tags.
This means that you cannot base one of your branches off one of my branches, unless you're willing to recover from an upstream rebase by rebasing onto my rebase, ad infinitum.
This means that, unless a tag is signed, you cannot refer to it at all.
Once a tag has been signed, all parents of that commit are immutable. This doesn't mean that they won't be copied and edited, but the originals will remain in tact. This allows you to base your changes off signed tags.
While this appears incompatiable with a traditional git workfow, it is not.
It is effectively equivalent to keeping all my development branches and tags local, and only having the signed tags in the repository. (In this imaginary repository, the master branch (the one pointed to by HEAD) would be pointing at the oldest branch point of all the signed tags.)
Doing things this way is more interesting for you as you can see work in progress, and no less convenient as it's a superset of the traditional workflow.
Basically, it allows me to treat the repository as a pile of patches.