git-verify-tag

Check tags for a GPG signature

$ git verify-tag [tag1 optional_tag2 ...]

$ git verify-tag [tag1 optional_tag2 ...] [[-v|--verbose]]

$ git verify-tag [tag1 optional_tag2 ...] --raw

git verify-tag <tag>...

<tag>...
    One or more tag objects or references (e.g., tag names or object IDs) whose GPG signatures are to be verified. The command will process each specified tag.

The git-verify-tag command is an internal Git utility used to cryptographically verify the GPG signature of one or more tag objects. It is typically invoked by git tag -v <tagname> when you want to ensure the authenticity and integrity of a signed tag.

When executed, git-verify-tag inspects the specified tag object(s), extracts the associated GPG signature, and attempts to verify it against the local GPG keyring. The output typically includes the GPG verification status, such as "good signature", "BAD signature", or "no signature", along with details of the signing key. A successful verification confirms that the tag has not been tampered with and was created by a trusted entity whose public key is present in your GPG keyring. This command is crucial for maintaining trust and security in distributed Git workflows.

Verification relies on the 'gpg' command-line tool being installed and properly configured on your system.
For a 'good signature' status, the public key of the tag's signer must be present and trusted in your local GPG keyring. If the key is not found or not trusted, the signature verification may fail or report 'unknown key'.
This command only verifies the GPG signature over the tag object itself; it does not verify the integrity of the commit that the tag points to.

The command exits with a status code indicating the outcome of the verification process:
0: Successfully verified at least one tag, meaning a good signature was found, or the tag was unsigned (no signature detected).
128: A usage error occurred, such as no tags being specified or an invalid tag reference.
Non-zero (other): GPG signature verification failed for one or more tags (e.g., bad signature, unknown key, or GPG error).

GPG signing of tags was introduced early in Git's history, around version 1.4.0 (circa 2006), to provide cryptographic assurance for releases and checkpoints. The 'git-verify-tag' command serves as the underlying mechanism for validating these signatures, allowing users to confirm the authenticity of tags created by others. While initially an internal component, its functionality became a direct command for programmatic verification.

git-tag(1), git-fsck(1), git-cat-file(1)