electrs/update.sh: ensure tag is checked out

Cloning a tag-named branch introduced a supply chain attack vector,
because branch and tag contents might differ.
Now the hashed worktree always corresponds to the tag that is GPG-verified.

pkgs/applications/blockchains/electrs/update.sh

@@ -21,6 +21,7 @@ repo=$tmpdir/repo
 trap "rm -rf $tmpdir" EXIT
 
 git clone --depth 1 --branch v${version} -c advice.detachedHead=false https://github.com/romanz/electrs $repo
+git -C $repo checkout tags/v${version}
 
 export GNUPGHOME=$tmpdir
 echo