ok?

diff refs/heads/main refs/heads/revoking_regress
commit - ea2c9c36aa409c447e37aed9c75777adb9e36274
commit + 55dd6981d16dcd7a3d69014b1f3859f6a72b4de2
blob - 522d1dea0ce53ec2b119b3ef279d22df95d99d1b
blob + 217af530810b91c6f6861398bf49b4c6f5403578
--- regress/cmdline/tag.sh
+++ regress/cmdline/tag.sh
@@ -271,8 +271,11 @@ test_tag_create_ssh_signed() {
 		return 1
 	fi
 	touch $testroot/allowed_signers
-	echo "allowed_signers \"$testroot/allowed_signers\"" > \
+	touch $testroot/revoked_signers
+	echo "allowed_signers \"$testroot/allowed_signers\"" >> \
 		$testroot/repo/.git/got.conf
+	echo "revoked_signers \"$testroot/revoked_signers\"" >> \
+		$testroot/repo/.git/got.conf
 
 	# Create a signed tag based on repository's HEAD reference
 	got tag -s $testroot/id_ed25519 -m 'test' -r $testroot/repo -c HEAD \
@@ -327,6 +330,22 @@ test_tag_create_ssh_signed() {
 		return 1
 	fi
 
+	# Ensure validation fails after revoking the key
+	ssh-keygen -y -f $testroot/id_ed25519 >> $testroot/revoked_signers
+	echo "signature: Could not verify signature." > \
+		$testroot/stdout.expected
+	VERIFY_STDOUT=$(got tag -r $testroot/repo -V $tag 2> $testroot/stderr)
+	ret=$?
+	echo "$VERIFY_STDOUT" | grep '^signature: ' > $testroot/stdout
+	if [ $ret -eq 0 ]; then
+		diff -u $testroot/stdout.expected $testroot/stdout
+		test_done "$testroot" "1"
+		return 1
+	fi
+
+	# Later tests expect validation to work
+	echo -n > $testroot/revoked_signers
+
 	# Ensure that Git recognizes and verifies the tag Got has created
 	(cd $testroot/repo && git checkout -q $tag)
 	ret=$?