I would like to include git tag -v
command into the deployment process to catch unsigned tags or tags signed by a non-trusted GPG key.
The command returns with an exit code of 0
if the tag has a valid signature, but does not care wether the signed key is trusted or not.
I don't want to resort to grepping the resulting GPG message manually
I haven't tried it yet, and the documentation doesn't mention exit codes, but you could try
git-verify-tag plumbing command
Update Having no easy way to test this, I've reviewed the source code:
https://github.com/git/git/blob/81b50f3ce40bfdd66e5d967bf82be001039a9a98/builtin/verify-tag.c
It does appear to consciously return the relevant result codes, so I'd expect this to work