macOS
brew install gitsignlocal Homebrew formula metadata
sudo port install gitsignMacPorts ports tree · security/gitsign/Portfile · source: api.github.com
brew
Keyless Git signing using Sigstore. Version 0.16.1 via Homebrew; verified 2026-06-08.
install
brew install gitsignlocal Homebrew formula metadata
sudo port install gitsignMacPorts ports tree · security/gitsign/Portfile · source: api.github.com
sudo apt install gitsignDebian stable package indexes · gitsign · source: deb.debian.org
nix profile install nixpkgs#gitsignnixpkgs package indexes · pkgs/by-name/gi/gitsign/package.nix · source: api.github.com
sudo pacman -S gitsignArch Linux sync databases · gitsign · source: geo.mirror.pkgbuild.com
sudo zypper install gitsignopenSUSE Tumbleweed package metadata · gitsign · source: download.opensuse.org
scoop install main/gitsignScoop official bucket manifest trees · bucket/gitsign.json · source: api.github.com
overview
Keyless Git signing using Sigstore
history
gitsign is a Sigstore tool for keyless signing of Git commits and tags. It uses OpenID Connect identities and Sigstore infrastructure instead of long-lived local signing keys.
The gitsign repository was created in May 2022 under the Sigstore organization. Its README says the tool was heavily inspired by GitHub's smimesign, but substitutes keyless Sigstore signing with a GitHub or other OIDC identity.
gitsign belongs to the broader Sigstore supply-chain security ecosystem alongside Fulcio, Rekor, and Cosign. Its adoption story is tied to the move from personal key management toward short-lived certificates, identity-backed signatures, and transparency-log verification.
Practitioners configure Git to use `gitsign` as the `gpg.x509.program`, set `gpg.format` to `x509`, and then sign commits with `git commit -S` or sign tags with `git tag -s`. Verification commonly uses `gitsign verify` so callers can check both cryptographic integrity and certificate identity claims.
For package maintainers, gitsign is important because it brings Sigstore's keyless model to Git history rather than only to container images or release artifacts. It packages a security workflow as a Git signing backend with a small CLI surface and a credential-cache helper.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
.git/config~/.gitconfigexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
gitsign | cli | global executable | |
gitsign-credential-cache | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/sigstore/gitsign
install metadata
| Package key | brew:gitsign |
|---|---|
| Version | 0.16.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/gitsign |
| Homepage | https://github.com/sigstore/gitsign |
| Repository | https://github.com/sigstore/gitsign |
| Upstream docs | https://docs.sigstore.dev/ |
| License | Apache-2.0 |
| Source archive | https://github.com/sigstore/gitsign/archive/refs/tags/v0.16.1.tar.gz |
| Last updated | 2026-06-08T21:43:20Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | gitsign |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
gitsign 0.13.0-2+b2
Keyless Git signing using Sigstore (program)
https://github.com/sigstore/gitsign
sudo apt install gitsigngolang-github-sigstore-gitsign-dev 0.13.0-2
Keyless Git signing using Sigstore (library)
https://github.com/sigstore/gitsign
sudo apt install golang-github-sigstore-gitsign-devgitsign
nix profile install nixpkgs#gitsigngitsign 0.14.0-2
Keyless Git signing using Sigstore
https://github.com/sigstore/gitsign
sudo pacman -S gitsigngitsign 0.16.0-1.1
Keyless Git signing using Sigstore
https://github.com/sigstore/gitsign
sudo zypper install gitsigngitsign-credential-cache 0.16.0-1.1
Credential cache for gitsign
https://github.com/sigstore/gitsign
sudo zypper install gitsign-credential-cachegitsign
sudo port install gitsignmain/gitsign
scoop install main/gitsignsource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.