I understand, one can verify signed git:
But how to verify the git commit at which some tag is pointing? Using this at the moment.
git verify-commit "$(git rev-list --max-count 1 tag-name)"
git rev-list --max-count 1 tag-name to figure out at which commit the tag is pointing and then passing that to git verify-commit.
Is there a simpler way?
Does this look sane, secure?
(What's the background of this? Related to git sha 1 and git security.)
tag^{commit} or tag^{} resolves to the commit to which a tag points.
So the following should do what you want:
git verify-commit tag^{}