And how, pray tell, are you downloading those signatures? Or the public keys corresponding to them, for that matter, if you don't have them locally already (and, if you do, why do you trust them given that your transport layer has been compromised?)
Besides: if you actually verify `git` signatures, you can count yourself in a club of less than a dozen people who bother. That isn't to say that you're wrong to, just that an optional signature is, to a first approximation, as useful as not signing at all.
The public keys for those signatures have already been downloaded by any vendor who knows what they're doing; a new TLS forgery vulnerability won't really hurt there.
Or, let's put it this way: If you don't bother with the signatures, a TLS forgery likely isn't the easiest way to feed you a fake openssl release, hijacking an account or hacking Github et al are.
Also, Github itself verifies Git signatures, and the maintainers seem to have Github's "vigilant mode" on.
brew repositories are hosted at Github. According the linked article Github did a full scan on all repositories whether those attacks were already in use and implemented mitigations to make it impossible to push attacks to Github. I.e. it should be safe to run brew upgrade.
