git verify-tag

Validates signed tags. Releases love these.

🎯 What & why

Verify the GPG or SSH signature on an annotated tag. The release-engineering counterpart to verify-commit.

🧠 Mental model

Signed tags embed the signature in the tag object itself (not the commit). verify-tag extracts that block and hands it to gpg/ssh for validation against your trust store.

🛠️ Synopsis

git verify-tag [-v | --verbose] [--raw] [--format=<format>] <tag>...

Operates on tag objects, so lightweight tags (which have no object) cannot
be verified. Exit code 0 means every named tag carries a good signature.

🎚️ Switches & options

Flag	What it does
`-v / --verbose`	Print the tag's contents (message, tagger, target) in addition to verification status.
`--raw`	Emit the verifier's raw status lines for machine parsing.
`--format=<format>`	Custom output using the same placeholders as for-each-ref (e.g. %(objectname), %(taggername)).
`<tag>...`	One or more tag names; all must verify or the command exits non-zero.

💡 Use cases

Release pipeline: verify the tag before building artifacts so an unsigned tag never produces a binary.
Audit chain - confirm that v1.0.0 through v1.9.3 were all signed by an authorized release manager.
Mirror validation - downstream packagers verifying upstream tags before importing.
Custom listings combining --format with for-each-ref-style fields.

🧪 Examples

Verify a release tag

git verify-tag v2.4.0

Verify with full content

git verify-tag -v v2.4.0

Verify all version tags

git tag -l 'v*' | xargs git verify-tag

Custom format

git verify-tag --format='%(tag) %(taggername) %(taggerdate:short)' v2.4.0

🎓 Recommendations

Standardize on git tag -s for releases; lightweight tags cannot carry signatures, so a 'release' that's a lightweight tag is unverifiable by definition.
Keep gpg.ssh.allowedSignersFile or your keyring under version control (separately) so verification is reproducible across machines.
Run verify-tag as the very first step of any release build - before checkout of source, before fetch of dependencies.

🪤 Common pitfalls

Lightweight tags have no object to sign; verify-tag will fail with 'no signature found' even if the tagger thought they signed something.
Re-tagging (tag -f) over an existing signed tag silently replaces the signature - downstream consumers won't notice without verification.
SSH-signed tags require allowedSignersFile to be configured; otherwise you'll see ERRSIG even with a perfectly valid signature.

🔗 Related modules

📝 Quiz

Hit each option, then Check answers. Score is recorded; Next is always open.