rbm should check that a signed tag object contains the expected tag name
When we use the
tag_gpg_id option, rbm will check that a tag is gpg signed. However it does not check that the tag object contains the expected tag name, and git does not check that either. As discussed in #30479 (moved), this can allow rollback attacks.