macOS
brew install gittuflocal Homebrew formula metadata
brew
Security layer for Git repositories. Version 0.15.0 via Homebrew; verified 2026-06-30.
install
brew install gittuflocal Homebrew formula metadata
sudo apt install gittufDebian stable package indexes · gittuf · source: deb.debian.org
nix profile install nixpkgs#gittufnixpkgs package indexes · pkgs/by-name/gi/gittuf/package.nix · source: api.github.com
winget install --id gittuf.gittuf -eWindows Package Manager source index · gittuf.gittuf · source: cdn.winget.microsoft.com
overview
Security layer for Git repositories
history
gittuf is a Git repository security system that brings The Update Framework-style policy metadata, signed trust roots, and independent verification to source control. Its main claim to package-manager relevance is that it treats Git history and Git references as supply-chain assets rather than merely developer convenience data.
The gittuf repository was opened in 2022, with the project describing itself as a platform-agnostic Git security system. Its README states that repository maintainers can use gittuf to protect repository contents from unauthorized or malicious changes and to avoid making a Git forge the single point of trust.
The first GitHub release, v0.1.0, was published in October 2023. The roadmap shows the project evolving through alpha and beta milestones, policy files, a reference state log, metadata synchronization, and dogfooding of the gittuf repository itself.
The design expanded beyond basic reference protection into supply-chain attestations. The roadmap records in-toto attestation support as reached by April 2024 and describes work on Git forge integration, including a GitHub app that records code-review and merge attestations and reports verification status on pull requests.
gittuf's adoption story is institutional as well as technical: the README identifies it as an incubating Open Source Security Foundation project in the Supply Chain Integrity Working Group. Packaging across Homebrew, Debian, Nix, and WinGet gives the tool the installation surface expected for security tooling that may be evaluated by teams on different operating systems.
The project sits near Sigstore, gitsign, in-toto, and SLSA in the software supply-chain ecosystem. Its distinguishing role is source-control policy verification that can be checked outside any one forge.
A typical workflow starts by generating keys, initializing a Git repository, running `gittuf trust init`, adding policy keys, creating policy rules for protected branches or files, staging and applying policy metadata, and recording reference changes in the reference state log.
Practitioners use `gittuf verify-ref` to check whether a reference follows policy, `gittuf sync` or the `git-remote-gittuf` transport to move gittuf metadata with remote repositories, and manual Git ref pushes or fetches for environments that prefer explicit metadata handling.
gittuf matters to package nerds because it frames source repository state as an input to downstream package trust. It complements artifact signing and provenance by asking whether the Git branch, tag, or file path that produced a package was changed by an authorized identity under an auditable policy.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
git-remote-gittuf | cli | global executable | |
gittuf | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/gittuf/gittuf
install metadata
| Package key | brew:gittuf |
|---|---|
| Version | 0.15.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/gittuf |
| Homepage | https://gittuf.dev/ |
| Repository | https://github.com/gittuf/gittuf |
| Upstream docs | https://gittuf.dev/documentation |
| License | Apache-2.0 |
| Source archive | https://github.com/gittuf/gittuf/archive/refs/tags/v0.15.0.tar.gz |
| Last updated | 2026-06-30T18:15:30Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | gittuf |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
gittuf 0.9.0-5+b6
security layer for Git repositories (program)
https://github.com/gittuf/gittuf
sudo apt install gittufgolang-github-gittuf-gittuf-dev 0.9.0-5
security layer for Git repositories (Go library)
https://github.com/gittuf/gittuf
sudo apt install golang-github-gittuf-gittuf-devgittuf
nix profile install nixpkgs#gittufgittuf.gittuf
winget install --id gittuf.gittuf -egittuf.git-remote-gittuf
winget install --id gittuf.git-remote-gittuf -esource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.