commit - c82e62cb1867793b98aa1d38e0e5db8c6eae162f
commit + c0805ce576af63f905cfae094062eec19d255c85
blob - 946e4ac9a5ded85347469ff755205443b98ffeec
blob + d32b03f5eccb5ae355f4b16e488a44068c680b01
--- regress/cmdline/tag.sh
+++ regress/cmdline/tag.sh
@@ -286,7 +286,10 @@ test_tag_create_ssh_signed() {
 		return 1
 	fi
 	touch $testroot/allowed_signers
-	echo "allowed_signers \"$testroot/allowed_signers\"" > \
+	touch $testroot/revoked_signers
+	echo "allowed_signers \"$testroot/allowed_signers\"" >> \
+		$testroot/repo/.git/got.conf
+	echo "revoked_signers \"$testroot/revoked_signers\"" >> \
 		$testroot/repo/.git/got.conf
 
 	# Create a signed tag based on repository's HEAD reference
@@ -342,6 +345,22 @@ test_tag_create_ssh_signed() {
 		return 1
 	fi
 
+	# Ensure validation fails after revoking the key
+	ssh-keygen -y -f $testroot/id_ed25519 >> $testroot/revoked_signers
+	echo "signature: Could not verify signature." > \
+		$testroot/stdout.expected
+	VERIFY_STDOUT=$(got tag -r $testroot/repo -V $tag 2> $testroot/stderr)
+	ret=$?
+	echo "$VERIFY_STDOUT" | grep '^signature: ' > $testroot/stdout
+	if [ $ret -eq 0 ]; then
+		diff -u $testroot/stdout.expected $testroot/stdout
+		test_done "$testroot" "1"
+		return 1
+	fi
+
+	# Later tests expect validation to work
+	echo -n > $testroot/revoked_signers
+
 	# Ensure that Git recognizes and verifies the tag Got has created
 	(cd $testroot/repo && git checkout -q $tag)
 	ret=$?