A signed commit can only prove that the owner of a key did make a particular commit, it can't prove that they didn't make a commit, for instance by using some other undisclosed key.
This was actually a true impersonation case, because researcher's twitter username was free on github so attacker just created a new account with that username and used it to create the malicious PR.
This could have been partially avoided with signed commits.
A signed commit can only prove that the owner of a key did make a particular commit, it can't prove that they didn't make a commit, for instance by using some other undisclosed key.
This was actually a true impersonation case, because researcher's twitter username was free on github so attacker just created a new account with that username and used it to create the malicious PR.
Not really. The username from the commits is the same one that created the PR. The username evildojo666 was available and the attacker just used it.