Automic VaultAutomic Vault

brew

Install gittuf with Homebrew, apt, Nix, winget

Security layer for Git repositories. Version 0.15.0 via Homebrew; verified 2026-06-30.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install gittuf

local Homebrew formula metadata

Linux

Debian aptverified · 92%
sudo apt install gittuf

Debian stable package indexes · gittuf · source: deb.debian.org

Nixverified · 92%
nix profile install nixpkgs#gittuf

nixpkgs package indexes · pkgs/by-name/gi/gittuf/package.nix · source: api.github.com

Windows

Windows Package Managerverified · 92%
winget install --id gittuf.gittuf -e

Windows Package Manager source index · gittuf.gittuf · source: cdn.winget.microsoft.com

overview

Package summary

Security layer for Git repositories

Commands and aliases

  • git-remote-gittuf
  • gittuf

history

Project history and usage

gittuf is a Git repository security system that brings The Update Framework-style policy metadata, signed trust roots, and independent verification to source control. Its main claim to package-manager relevance is that it treats Git history and Git references as supply-chain assets rather than merely developer convenience data.

Project history

The gittuf repository was opened in 2022, with the project describing itself as a platform-agnostic Git security system. Its README states that repository maintainers can use gittuf to protect repository contents from unauthorized or malicious changes and to avoid making a Git forge the single point of trust.

The first GitHub release, v0.1.0, was published in October 2023. The roadmap shows the project evolving through alpha and beta milestones, policy files, a reference state log, metadata synchronization, and dogfooding of the gittuf repository itself.

The design expanded beyond basic reference protection into supply-chain attestations. The roadmap records in-toto attestation support as reached by April 2024 and describes work on Git forge integration, including a GitHub app that records code-review and merge attestations and reports verification status on pull requests.

Adoption history

gittuf's adoption story is institutional as well as technical: the README identifies it as an incubating Open Source Security Foundation project in the Supply Chain Integrity Working Group. Packaging across Homebrew, Debian, Nix, and WinGet gives the tool the installation surface expected for security tooling that may be evaluated by teams on different operating systems.

The project sits near Sigstore, gitsign, in-toto, and SLSA in the software supply-chain ecosystem. Its distinguishing role is source-control policy verification that can be checked outside any one forge.

How it is used

A typical workflow starts by generating keys, initializing a Git repository, running `gittuf trust init`, adding policy keys, creating policy rules for protected branches or files, staging and applying policy metadata, and recording reference changes in the reference state log.

Practitioners use `gittuf verify-ref` to check whether a reference follows policy, `gittuf sync` or the `git-remote-gittuf` transport to move gittuf metadata with remote repositories, and manual Git ref pushes or fetches for environments that prefer explicit metadata handling.

Why package nerds care

gittuf matters to package nerds because it frames source repository state as an input to downstream package trust. It complements artifact signing and provenance by asking whether the Git branch, tag, or file path that produced a package was changed by an authorized identity under an auditable policy.

Timeline

  • 2022: Public GitHub repository opened.
  • 2023: v0.1.0 release published.
  • 2024: Roadmap records in-toto attestation integration as reached.
  • 2025: Roadmap describes GitHub app integration work for pull-request attestations and policy verification status checks.

Related projects

  • The Update Framework.
  • OpenSSF Supply Chain Integrity Working Group.
  • Sigstore, gitsign, in-toto, and SLSA.
  • GitHub and GitLab repository policy systems.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
git-remote-gittufcliglobal executable
gittufcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.15.0
manager updated2026-06-30
local dataok
upstreamcurrent
latest detectedv0.15.0

https://github.com/gittuf/gittuf

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:gittuf
Version0.15.0
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/gittuf
Homepagehttps://gittuf.dev/
Repositoryhttps://github.com/gittuf/gittuf
Upstream docshttps://gittuf.dev/documentation
LicenseApache-2.0
Source archivehttps://github.com/gittuf/gittuf/archive/refs/tags/v0.15.0.tar.gz
Last updated2026-06-30T18:15:30Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namegittuf
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

gittuf 0.9.0-5+b6

security layer for Git repositories (program)

https://github.com/gittuf/gittuf

sudo apt install gittuf
  • Section: vcs
  • Architecture: amd64
  • Source Package: gittuf
  • 1 dependencies
  • normalized package name match
  • Matched by: Gittuf
Debian stable package indexes · deb.debian.org · Debian stable package indexes: gittuf from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Debian apt95%

golang-github-gittuf-gittuf-dev 0.9.0-5

security layer for Git repositories (Go library)

https://github.com/gittuf/gittuf

sudo apt install golang-github-gittuf-gittuf-dev
  • Section: golang
  • Architecture: all
  • Source Package: gittuf
  • 21 dependencies
  • normalized package name match
  • Matched by: Gittuf
Debian stable package indexes · deb.debian.org · Debian stable package indexes: golang-github-gittuf-gittuf-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

gittuf

nix profile install nixpkgs#gittuf
  • normalized package name match
  • Matched by: Gittuf
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/gi/gittuf/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
winget95%

gittuf.gittuf

winget install --id gittuf.gittuf -e
  • normalized package name match
  • Matched by: Gittuf
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: gittuf.gittuf from https://cdn.winget.microsoft.com/cache/source.msix
winget92%

gittuf.git-remote-gittuf

winget install --id gittuf.git-remote-gittuf -e
  • installed executable or alias match
  • Matched by: Git Remote Gittuf
Windows Package Manager source index · cdn.winget.microsoft.com · Windows Package Manager source index: gittuf.git-remote-gittuf from https://cdn.winget.microsoft.com/cache/source.msix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment