Automic VaultAutomic Vault

brew

Install gitsign with Homebrew, apt, MacPorts, Nix, pacman, scoop, zypper

Keyless Git signing using Sigstore. Version 0.16.1 via Homebrew; verified 2026-06-08.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install gitsign

local Homebrew formula metadata

MacPortsverified · 94%
sudo port install gitsign

MacPorts ports tree · security/gitsign/Portfile · source: api.github.com

Linux

Debian aptverified · 92%
sudo apt install gitsign

Debian stable package indexes · gitsign · source: deb.debian.org

Nixverified · 92%
nix profile install nixpkgs#gitsign

nixpkgs package indexes · pkgs/by-name/gi/gitsign/package.nix · source: api.github.com

Arch Linux pacmanverified · 92%
sudo pacman -S gitsign

Arch Linux sync databases · gitsign · source: geo.mirror.pkgbuild.com

openSUSE zypperverified · 92%
sudo zypper install gitsign

openSUSE Tumbleweed package metadata · gitsign · source: download.opensuse.org

Windows

Scoopverified · 92%
scoop install main/gitsign

Scoop official bucket manifest trees · bucket/gitsign.json · source: api.github.com

overview

Package summary

Keyless Git signing using Sigstore

Commands and aliases

  • gitsign
  • gitsign-credential-cache

history

Project history and usage

gitsign is a Sigstore tool for keyless signing of Git commits and tags. It uses OpenID Connect identities and Sigstore infrastructure instead of long-lived local signing keys.

Project history

The gitsign repository was created in May 2022 under the Sigstore organization. Its README says the tool was heavily inspired by GitHub's smimesign, but substitutes keyless Sigstore signing with a GitHub or other OIDC identity.

Adoption history

gitsign belongs to the broader Sigstore supply-chain security ecosystem alongside Fulcio, Rekor, and Cosign. Its adoption story is tied to the move from personal key management toward short-lived certificates, identity-backed signatures, and transparency-log verification.

How it is used

Practitioners configure Git to use `gitsign` as the `gpg.x509.program`, set `gpg.format` to `x509`, and then sign commits with `git commit -S` or sign tags with `git tag -s`. Verification commonly uses `gitsign verify` so callers can check both cryptographic integrity and certificate identity claims.

Why package nerds care

For package maintainers, gitsign is important because it brings Sigstore's keyless model to Git history rather than only to container images or release artifacts. It packages a security workflow as a Git signing backend with a small CLI surface and a credential-cache helper.

Timeline

  • 2022: Repository created under the Sigstore organization.
  • 2022: Test release published from the new repository.
  • 2020s: Distributed through Homebrew, Debian, MacPorts, Nix, Arch, Scoop, and zypper package channels.

Related projects

  • gitsign is related to Sigstore, Fulcio, Rekor, Cosign, Git's X.509 signing support, and GitHub's smimesign.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
.git/config~/.gitconfig

executables

Installed executables

CommandKindExposureNote
gitsigncliglobal executable
gitsign-credential-cachecliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.16.1
manager updated2026-06-08
local dataok
upstreamcurrent
latest detectedv0.16.1

https://github.com/sigstore/gitsign

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:gitsign
Version0.16.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/gitsign
Homepagehttps://github.com/sigstore/gitsign
Repositoryhttps://github.com/sigstore/gitsign
Upstream docshttps://docs.sigstore.dev/
LicenseApache-2.0
Source archivehttps://github.com/sigstore/gitsign/archive/refs/tags/v0.16.1.tar.gz
Last updated2026-06-08T21:43:20Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namegitsign
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

gitsign 0.13.0-2+b2

Keyless Git signing using Sigstore (program)

https://github.com/sigstore/gitsign

sudo apt install gitsign
  • Section: vcs
  • Architecture: amd64
  • Source Package: gitsign
  • 1 dependencies
  • normalized package name match
  • Matched by: Gitsign
Debian stable package indexes · deb.debian.org · Debian stable package indexes: gitsign from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Debian apt95%

golang-github-sigstore-gitsign-dev 0.13.0-2

Keyless Git signing using Sigstore (library)

https://github.com/sigstore/gitsign

sudo apt install golang-github-sigstore-gitsign-dev
  • Section: golang
  • Architecture: all
  • Source Package: gitsign
  • 10 dependencies
  • normalized package name match
  • Matched by: Gitsign
Debian stable package indexes · deb.debian.org · Debian stable package indexes: golang-github-sigstore-gitsign-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

gitsign

nix profile install nixpkgs#gitsign
  • normalized package name match
  • Matched by: Gitsign
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/gi/gitsign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
pacman95%

gitsign 0.14.0-2

Keyless Git signing using Sigstore

https://github.com/sigstore/gitsign

sudo pacman -S gitsign
  • License: APACHE
  • Architecture: x86_64
  • normalized package name match
  • Matched by: Gitsign
Arch Linux sync databases · geo.mirror.pkgbuild.com · Arch Linux sync databases: gitsign from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz
zypper95%

gitsign 0.16.0-1.1

Keyless Git signing using Sigstore

https://github.com/sigstore/gitsign

sudo zypper install gitsign
  • License: Apache-2.0
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: gitsign
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Gitsign
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: gitsign from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
zypper95%

gitsign-credential-cache 0.16.0-1.1

Credential cache for gitsign

https://github.com/sigstore/gitsign

sudo zypper install gitsign-credential-cache
  • License: Apache-2.0
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: gitsign
  • 3 dependencies
  • 2 provides
  • normalized package name match
  • Matched by: Gitsign
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: gitsign-credential-cache from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst
MacPorts95%

gitsign

sudo port install gitsign
  • normalized package name match
  • Matched by: Gitsign
MacPorts ports tree · api.github.com · MacPorts ports tree: security/gitsign/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
Scoop95%

main/gitsign

scoop install main/gitsign
  • normalized package name match
  • Matched by: Gitsign
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/gitsign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment