git-verify-tag

Check tags for a GPG signature

$ git verify-tag [tag1 optional_tag2 ...]

$ git verify-tag [tag1 optional_tag2 ...] [[-v|--verbose]]

$ git verify-tag [tag1 optional_tag2 ...] --raw

git verify-tag [-v | --verbose] [--raw] <tag>…​

-v, --verbose
    Print the full GPG verification message to stdout

--raw
    Print raw GPG status exit code (see gpg(1))

git verify-tag validates the cryptographic signatures (GPG or PGP) attached to Git tag objects, ensuring their authenticity and integrity. Tags created with git tag -s or -u include a signature generated from the tag data using the signer's private key. This command checks if the signature matches the tag content by verifying it against the signer's public key in your GPG keyring.

It processes one or more tags specified as arguments, outputting verification results. Successful verification confirms the tag was created by the claimed author and remains untampered. Failed checks indicate issues like invalid signatures, missing keys, or corruption.

Primarily used in workflows verifying release tags from trusted sources, such as open-source projects, before building or deploying. It integrates with Git's security model, complementing signed commits. Requires GPG (or compatible) installed; keys must be imported manually via gpg --import.

Output includes human-readable messages by default, with options for verbose GPG details or raw exit codes for automation.

Requires GPG installed and signer's public key imported; does not auto-fetch keys. Verifies only detached signatures on tags. Non-zero exit if any tag fails.

0: All tags verified OK.
1+: At least one tag failed verification.

Uses $HOME/.gitconfig for gpg.program; relies on $GNUPGHOME or ~/.gnupg keyring.

Introduced in Git 1.4.4.1 (March 2007) alongside signed tag support; evolved with GPG integration improvements in later versions like 1.7.x for better key handling.

git-verify-commit(1), git-tag(1), git(1), gpg(1)