# Install gitsign with Homebrew, apt, MacPorts, Nix, pacman, scoop, zypper

Keyless Git signing using Sigstore. Version 0.16.1 via Homebrew; verified 2026-06-08.

## Install

```sh
sudo av install brew:gitsign
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install gitsign
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install gitsign
```

  Evidence: MacPorts ports tree: security/gitsign/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- Debian apt (92%):

```sh
sudo apt install gitsign
```

  Evidence: Debian stable package indexes: gitsign from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- Nix (92%):

```sh
nix profile install nixpkgs#gitsign
```

  Evidence: nixpkgs package indexes: pkgs/by-name/gi/gitsign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S gitsign
```

  Evidence: Arch Linux sync databases: gitsign from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

- zypper (92%):

```sh
sudo zypper install gitsign
```

  Evidence: openSUSE Tumbleweed package metadata: gitsign from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

### Windows

- Scoop (92%):

```sh
scoop install main/gitsign
```

  Evidence: Scoop official bucket manifest trees: bucket/gitsign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:gitsign
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/gitsign>
- **Version:** 0.16.1
- **Source summary:** Keyless Git signing using Sigstore
- **Homepage:** <https://github.com/sigstore/gitsign>
- **Repository:** <https://github.com/sigstore/gitsign>
- **Upstream docs:** <https://docs.sigstore.dev/>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/sigstore/gitsign/archive/refs/tags/v0.16.1.tar.gz>
- **Last updated:** 2026-06-08T21:43:20Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- gitsign (cli)
- gitsign-credential-cache (cli)
- gitsign (alias)
- gitsign-credential-cache (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.16.1
- Package-manager updated: 2026-06-08
- Local data: ok
- Upstream repository: https://github.com/sigstore/gitsign
- Upstream latest detected: v0.16.1 (current)
## Project history and usage

gitsign is a Sigstore tool for keyless signing of Git commits and tags. It uses OpenID Connect identities and Sigstore infrastructure instead of long-lived local signing keys.

### Project history

The gitsign repository was created in May 2022 under the Sigstore organization. Its README says the tool was heavily inspired by GitHub's smimesign, but substitutes keyless Sigstore signing with a GitHub or other OIDC identity.

### Adoption history

gitsign belongs to the broader Sigstore supply-chain security ecosystem alongside Fulcio, Rekor, and Cosign. Its adoption story is tied to the move from personal key management toward short-lived certificates, identity-backed signatures, and transparency-log verification.

### How it is used

Practitioners configure Git to use `gitsign` as the `gpg.x509.program`, set `gpg.format` to `x509`, and then sign commits with `git commit -S` or sign tags with `git tag -s`. Verification commonly uses `gitsign verify` so callers can check both cryptographic integrity and certificate identity claims.

### Why package nerds care

For package maintainers, gitsign is important because it brings Sigstore's keyless model to Git history rather than only to container images or release artifacts. It packages a security workflow as a Git signing backend with a small CLI surface and a credential-cache helper.

### Timeline

- 2022: Repository created under the Sigstore organization.
- 2022: Test release published from the new repository.
- 2020s: Distributed through Homebrew, Debian, MacPorts, Nix, Arch, Scoop, and zypper package channels.

### Related projects

- gitsign is related to Sigstore, Fulcio, Rekor, Cosign, Git's X.509 signing support, and GitHub's smimesign.

### Sources

- <https://api.github.com/repos/sigstore/gitsign>
- <https://api.github.com/repos/sigstore/gitsign/releases>
- <https://docs.sigstore.dev/>
- <https://docs.sigstore.dev/cosign/signing/git_support/>
- <https://formulae.brew.sh/formula/gitsign>
- <https://github.com/sigstore/gitsign>
- <https://raw.githubusercontent.com/sigstore/gitsign/main/README.md>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: .git/config, ~/.gitconfig
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** gitsign
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - gitsign - 0.13.0-2+b2: normalized package name match | Debian stable package indexes: gitsign from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Keyless Git signing using Sigstore (program) | https://github.com/sigstore/gitsign
- Debian apt - golang-github-sigstore-gitsign-dev - 0.13.0-2: normalized package name match | Debian stable package indexes: golang-github-sigstore-gitsign-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Keyless Git signing using Sigstore (library) | https://github.com/sigstore/gitsign
- Nix - gitsign: normalized package name match | nixpkgs package indexes: pkgs/by-name/gi/gitsign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- pacman - gitsign - 0.14.0-2: normalized package name match | Arch Linux sync databases: gitsign from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Keyless Git signing using Sigstore | https://github.com/sigstore/gitsign
- zypper - gitsign - 0.16.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: gitsign from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Keyless Git signing using Sigstore | https://github.com/sigstore/gitsign
- zypper - gitsign-credential-cache - 0.16.0-1.1: normalized package name match | openSUSE Tumbleweed package metadata: gitsign-credential-cache from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Credential cache for gitsign | https://github.com/sigstore/gitsign
- MacPorts - gitsign: normalized package name match | MacPorts ports tree: security/gitsign/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Scoop - main/gitsign: normalized package name match | Scoop official bucket manifest trees: bucket/gitsign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [cosign](https://www.automicvault.com/pkg/brew/cosign/) - Shares av.db curated category or tags: cli, security, sigstore, software-supply-chain, supply-chain-security.
- [gittuf](https://www.automicvault.com/pkg/brew/gittuf/) - Shares av.db curated category or tags: cli, git, security, software-supply-chain, supply-chain-security.
- [rekor-cli](https://www.automicvault.com/pkg/brew/rekor-cli/) - Shares av.db curated category or tags: cli, security, sigstore, software-supply-chain, supply-chain-security.
- [sigstore](https://www.automicvault.com/pkg/brew/sigstore/) - Shares av.db curated category or tags: cli, security, sigstore, software-supply-chain, supply-chain-security.
- [notation](https://www.automicvault.com/pkg/brew/notation/) - Shares av.db curated category or tags: cli, security, signing, software-supply-chain, supply-chain-security.
- [poutine](https://www.automicvault.com/pkg/brew/poutine/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [safety](https://www.automicvault.com/pkg/brew/safety/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [bom](https://www.automicvault.com/pkg/brew/bom/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [cdxgen](https://www.automicvault.com/pkg/brew/cdxgen/) - Security-sensitive metadata or terminology overlaps. Shared terms: chain, cli, security, software-supply-chain, supply.

## Combined YAML source

View the package source record on GitHub. [combined/gitsign.yml](https://github.com/automic-vault/db/blob/main/combined/gitsign.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
