# Install gittuf with Homebrew, apt, Nix, winget

Security layer for Git repositories. Version 0.15.0 via Homebrew; verified 2026-06-30.

## Install

```sh
sudo av install brew:gittuf
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install gittuf
```

  Evidence: local Homebrew formula metadata

### Linux

- Debian apt (92%):

```sh
sudo apt install gittuf
```

  Evidence: Debian stable package indexes: gittuf from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- Nix (92%):

```sh
nix profile install nixpkgs#gittuf
```

  Evidence: nixpkgs package indexes: pkgs/by-name/gi/gittuf/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

### Windows

- winget (92%):

```sh
winget install --id gittuf.gittuf -e
```

  Evidence: Windows Package Manager source index: gittuf.gittuf from https://cdn.winget.microsoft.com/cache/source.msix

## Package facts

- **Package key:** brew:gittuf
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/gittuf>
- **Version:** 0.15.0
- **Source summary:** Security layer for Git repositories
- **Homepage:** <https://gittuf.dev/>
- **Repository:** <https://github.com/gittuf/gittuf>
- **Upstream docs:** <https://gittuf.dev/documentation>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/gittuf/gittuf/archive/refs/tags/v0.15.0.tar.gz>
- **Last updated:** 2026-06-30T18:15:30Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- git-remote-gittuf (cli)
- gittuf (cli)
- git-remote-gittuf (alias)
- gittuf (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.15.0
- Package-manager updated: 2026-06-30
- Local data: ok
- Upstream repository: https://github.com/gittuf/gittuf
- Upstream latest detected: v0.15.0 (current)
## Project history and usage

gittuf is a Git repository security system that brings The Update Framework-style policy metadata, signed trust roots, and independent verification to source control. Its main claim to package-manager relevance is that it treats Git history and Git references as supply-chain assets rather than merely developer convenience data.

### Project history

The gittuf repository was opened in 2022, with the project describing itself as a platform-agnostic Git security system. Its README states that repository maintainers can use gittuf to protect repository contents from unauthorized or malicious changes and to avoid making a Git forge the single point of trust.

The first GitHub release, v0.1.0, was published in October 2023. The roadmap shows the project evolving through alpha and beta milestones, policy files, a reference state log, metadata synchronization, and dogfooding of the gittuf repository itself.

The design expanded beyond basic reference protection into supply-chain attestations. The roadmap records in-toto attestation support as reached by April 2024 and describes work on Git forge integration, including a GitHub app that records code-review and merge attestations and reports verification status on pull requests.

### Adoption history

gittuf's adoption story is institutional as well as technical: the README identifies it as an incubating Open Source Security Foundation project in the Supply Chain Integrity Working Group. Packaging across Homebrew, Debian, Nix, and WinGet gives the tool the installation surface expected for security tooling that may be evaluated by teams on different operating systems.

The project sits near Sigstore, gitsign, in-toto, and SLSA in the software supply-chain ecosystem. Its distinguishing role is source-control policy verification that can be checked outside any one forge.

### How it is used

A typical workflow starts by generating keys, initializing a Git repository, running `gittuf trust init`, adding policy keys, creating policy rules for protected branches or files, staging and applying policy metadata, and recording reference changes in the reference state log.

Practitioners use `gittuf verify-ref` to check whether a reference follows policy, `gittuf sync` or the `git-remote-gittuf` transport to move gittuf metadata with remote repositories, and manual Git ref pushes or fetches for environments that prefer explicit metadata handling.

### Why package nerds care

gittuf matters to package nerds because it frames source repository state as an input to downstream package trust. It complements artifact signing and provenance by asking whether the Git branch, tag, or file path that produced a package was changed by an authorized identity under an auditable policy.

### Timeline

- 2022: Public GitHub repository opened.
- 2023: v0.1.0 release published.
- 2024: Roadmap records in-toto attestation integration as reached.
- 2025: Roadmap describes GitHub app integration work for pull-request attestations and policy verification status checks.

### Related projects

- The Update Framework.
- OpenSSF Supply Chain Integrity Working Group.
- Sigstore, gitsign, in-toto, and SLSA.
- GitHub and GitLab repository policy systems.

### Sources

- <https://api.github.com/repos/gittuf/gittuf>
- <https://api.github.com/repos/gittuf/gittuf/releases>
- <https://formulae.brew.sh/formula/gittuf>
- <https://github.com/gittuf/gittuf>
- <https://gittuf.dev/documentation>
- <https://gittuf.dev/quickstart>
- <https://raw.githubusercontent.com/gittuf/gittuf/main/README.md>
- <https://raw.githubusercontent.com/gittuf/gittuf/main/docs/get-started.md>
- <https://raw.githubusercontent.com/gittuf/gittuf/main/docs/roadmap.md>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** gittuf
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - gittuf - 0.9.0-5+b6: normalized package name match | Debian stable package indexes: gittuf from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | security layer for Git repositories (program) | https://github.com/gittuf/gittuf
- Debian apt - golang-github-gittuf-gittuf-dev - 0.9.0-5: normalized package name match | Debian stable package indexes: golang-github-gittuf-gittuf-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | security layer for Git repositories (Go library) | https://github.com/gittuf/gittuf
- Nix - gittuf: normalized package name match | nixpkgs package indexes: pkgs/by-name/gi/gittuf/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- winget - gittuf.gittuf: normalized package name match | Windows Package Manager source index: gittuf.gittuf from https://cdn.winget.microsoft.com/cache/source.msix
- winget - gittuf.git-remote-gittuf: installed executable or alias match | Windows Package Manager source index: gittuf.git-remote-gittuf from https://cdn.winget.microsoft.com/cache/source.msix


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [git-remote-gcrypt](https://www.automicvault.com/pkg/brew/git-remote-gcrypt/) - Shares av.db curated category or tags: cli, git, security, version-control.
- [gitsign](https://www.automicvault.com/pkg/brew/gitsign/) - Shares av.db curated category or tags: cli, git, security, software-supply-chain, supply-chain-security.
- [cargo-audit](https://www.automicvault.com/pkg/brew/cargo-audit/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [cosign](https://www.automicvault.com/pkg/brew/cosign/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [git-secret](https://www.automicvault.com/pkg/brew/git-secret/) - Shares av.db curated category or tags: cli, git, security, version-control.
- [notation](https://www.automicvault.com/pkg/brew/notation/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.
- [phylum-cli](https://www.automicvault.com/pkg/brew/phylum-cli/) - Shares av.db curated category or tags: cli, security, software-supply-chain.
- [poutine](https://www.automicvault.com/pkg/brew/poutine/) - Shares av.db curated category or tags: cli, security, software-supply-chain, supply-chain-security.

## Combined YAML source

View the package source record on GitHub. [combined/gittuf.yml](https://github.com/automic-vault/db/blob/main/combined/gittuf.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
