- Developers who already know basic commit and branch actions
- Readers who want to understand command boundaries and risk
Command Reference
git-verify-tag Tutorial
Explains how to use git-verify-tag to verify signed tag authenticity.
- A basic mental model of worktree, index, and commits
- Comfort reading `git status` and a small commit graph
- Using local cleanup commands on already shared history
- Continuing to rewrite before confirming a recovery path
The short version
git-verify-tag is used to verify signed tag authenticity.
When it is a good fit
- when you need to verify signed tag authenticity
- when you want this step to be repeatable instead of ad hoc
- when you need a clearer mental model of what Git is recording or updating
Basic example
git verify-tag v1.2.0
What to watch most closely
Advanced commands are not always part of the daily path, but mistakes with them usually cost more to recover from.
A safer working habit
Rehearse the flow on a small reproducible history before running it in a production repository.
Useful angles for understanding it
- Handle more complex collaboration or history-analysis tasks
- Turn one-off steps into repeatable routines
- Reduce the risk of advanced operations
Related reading
Read it alongside git status, git log, and git show so it is easier to see how the command changes history, refs, the index, or the working tree.
What problem this command solves in a workflow
git verify-tag validates the GPG signature on a signed tag, confirming that the tag was created by a trusted party and that the tagged object has not been tampered with. It is a read-only security verification tool — it does not modify history, packs, or storage. The output is a GPG verification result indicating whether the signature is valid, which key signed it, and whether the key is trusted in your GPG keyring.
Typical use cases
- Verifying release tags before deploying or distributing software — confirming the tag was signed by a known maintainer.
- Checking tag authenticity after fetching from a remote, ensuring the downloaded tag object matches its claimed origin.
- CI/CD pipeline gates: automatically rejecting builds based on unsigned or unverified tags in release workflows.
- Auditing: confirming which tags in a repository carry valid cryptographic signatures and which keys were used.
Diagram view
Signed tag objectGPG keyringTrust database
Signature validitySigning key identityTrust levelNo objects modified
Verify-tag is purely diagnostic — it checks signatures without changing any repository state.
Special cases and boundaries
- Verify-tag only works on signed tags (created with
git tag -s). Unsigned tags will fail verification with an error. - The result depends on your local GPG keyring. If the signing key is not imported or not trusted, verification may fail even though the signature is cryptographically valid.
git verify-tagchecks the tag object's signature, not the GPG signature of individual commits within the tagged range. For commit signatures, usegit verify-commit.- A valid signature confirms authenticity (the tag was signed by this key) and integrity (the tag object was not modified), but not trustworthiness (you must decide whether to trust the key).
- Verify-tag is entirely read-only. It never modifies tags, objects, refs, or any part of the repository.
- If a tag's underlying object (commit, tree) was corrupted, the signature will still verify if the tag object itself is intact — verify-tag checks the tag's signature, not the health of the tagged content.