fix(git-node): check the tag signature and not the commit one

[aduh95]

During release promotion, we want to verify the tag is signed with one of the releasers' key. The commit can be signed with a different signature (e.g. the bot's, or a soon-to-be releaser).

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 14 lines in your changes missing coverage. Please review.

Project coverage is 79.86%. Comparing base (021161b) to head (9b61a56).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
lib/run.js	0.00%	14 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #907      +/-   ##
==========================================
- Coverage   80.05%   79.86%   -0.19%     
==========================================
  Files          39       39              
  Lines        4673     4684      +11     
==========================================
  Hits         3741     3741              
- Misses        932      943      +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[targos]

The commit message makes me suspicious. The commit signature should have been good in my case as I had to rebase the PR locally.

[aduh95]

Yeah that's because we're getting the ${name} <${email}> string using the commit author details, instead of the committer details (the committer is the one signing the commit, not the author). Anyway, the current way is wrong on many levels, this PR is fixing that, happy to edit the commit message to something else