Note that Signed-off-by (as added by -s) is different than -S (GPG-sign). The -s option simply appends the "Signed-off-by" line to the commit message, so this can also be forged.

The GPG signature cannot be forged (access to the private key is needed).