git-verify-tag

Check tags for a GPG signature

$ git verify-tag [tag1 optional_tag2 ...]

$ git verify-tag [tag1 optional_tag2 ...] [[-v|--verbose]]

$ git verify-tag [tag1 optional_tag2 ...] --raw

git verify-tag [-v | --verbose]

tag
    The name of the tag object to verify. This can be a symbolic tag name (e.g., 'v1.0') or the object ID (SHA-1 hash) of the tag object.

-v, --verbose
    Enable verbose output, showing details about the verification process. This provides more information, which may be useful for debugging signature issues.

The git-verify-tag command cryptographically verifies the GPG signature of a tag object within a Git repository. It checks that the tag's signature is valid and that the tag was signed by a trusted key. This is crucial for ensuring the integrity and authenticity of tags, preventing tampering, and building trust in software releases. The command uses the user's GPG keyring to validate signatures.

When successful, the command outputs the name of the signer. If verification fails, an error message is displayed, indicating the reason for the failure. Use of this command can be critical in environments where verifying the provenance of code and releases is paramount.

Requires GPG to be installed and configured correctly. The user's GPG keyring must contain the public key of the tag's signer for successful verification.

The command exits with 0 if the tag is successfully verified and 1 if verification fails. If verification fails, it does not specify any further error codes to identify why validation was unsuccessful.

The trust model relies on the user's GPG keyring and the concept of trusted keys. You must explicitly trust the public keys of signers for verification to succeed. Git does not inherently trust all GPG keys.

git verify-tag was introduced as part of Git's support for GPG-signed tags. It was developed to address the need for verifying the integrity of releases and ensuring that tags were created by trusted individuals. Initially, GPG signing support was rudimentary, but over time, it has become a more integral part of the Git ecosystem, with commands like git verify-tag playing a vital role in security practices.

GPG signing is considered as an advanced option, and its usage has increased with the growing importance of supply chain security and the desire to prevent malicious actors from injecting vulnerabilities into software.

git-tag(1), git-verify-commit(1), gpg(1)