I think if you trust your maintainer/central tool enough to merge code from your developers then i think you can also trust them to verify all the commit signatures they receive and then resign the resulting merge right? After all they could simply create all the commits they want themselves right? The authors commit signature from before the merge will be lost. If you use signed tags though the merge will retain the initial signature on merge in the merge message.

btw. i am also a great fan of the phabricator workflow :)