@@ -129,6 +129,19 @@ def sign_tree_checksum(
129129 os .unlink (tmp .name )
130130
131131
132+ def is_tag_signature_valid (repo : Path , tag : str ) -> bool :
133+ try :
134+ subprocess .run (
135+ ["git" , "tag" , "-v" , tag ],
136+ cwd = repo ,
137+ check = True ,
138+ capture_output = True ,
139+ )
140+ return True
141+ except subprocess .CalledProcessError :
142+ return False
143+
144+
132145class ChecksumProcessor :
133146 def __init__ (self ) -> None :
134147 self .stats = {
@@ -338,12 +351,26 @@ def main() -> None:
338351 sign_tree_checksum (repo , args .sign , calculated_digest , args .compat )
339352 elif args .verify and tag_msg_checksum :
340353 matched = tag_msg_checksum == calculated_digest
341- if matched :
342- print ("Checksums are successfully verified" ) # noqa: T201
354+ tag_sig = is_tag_signature_valid (repo , args .verify )
355+ if matched and tag_sig :
356+ print ("Checksum and signature are successfully verified" ) # noqa: T201
357+ elif matched and not tag_sig :
358+ print ("Checksum was verified but not signature" , file = sys .stderr ) # noqa: T201
359+ sys .exit (1 )
360+ elif tag_sig and not matched :
361+ print ( # noqa: T201
362+ (
363+ "Signature was verified but not checksum"
364+ f"\n Checksum from tag message { tag_msg_checksum }
365+ f"\n Calculated checksum of { args .verify } { calculated_digest }
366+ ),
367+ file = sys .stderr ,
368+ )
369+ sys .exit (1 )
343370 else :
344371 print ( # noqa: T201
345372 (
346- "Checksums did not match "
373+ "Checksums and signature verification failed "
347374 f"\n Checksum from tag message { tag_msg_checksum }
348375 f"\n Calculated checksum of { args .verify } { calculated_digest }
349376 ),
0 commit comments