rbm should check that a signed tag object contains the expected tag name
When we use the tag_gpg_id
option, rbm will check that a tag is gpg signed. However it does not check that the tag object contains the expected tag name, and git does not check that either. As discussed in legacy/trac#30479 (moved), this can allow rollback attacks.