I understand, one can verify signed git:
But how to verify the git commit at which some tag is pointing? Using this at the moment.
git verify-commit "$(git rev-list --max-count 1 tag-name)"
git rev-list --max-count 1 tag-name
to figure out at which commit the tag is pointing and then passing that to git verify-commit
.
Is there a simpler way?
Does this look sane, secure?
(What's the background of this? Related to git sha 1 and git security.)
tag^{commit}
ortag^{}
resolves to the commit to which a tag points.So the following should do what you want: