# Install slsa-verifier with Homebrew, Nix, zypper

Verify provenance from SLSA compliant builders. Version 2.7.1 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:slsa-verifier
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install slsa-verifier
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#slsa-verifier
```

  Evidence: nixpkgs package indexes: pkgs/by-name/sl/slsa-verifier/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- zypper (92%):

```sh
sudo zypper install slsa-verifier
```

  Evidence: openSUSE Tumbleweed package metadata: slsa-verifier from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:slsa-verifier
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/slsa-verifier>
- **Version:** 2.7.1
- **Source summary:** Verify provenance from SLSA compliant builders
- **Homepage:** <https://github.com/slsa-framework/slsa-verifier>
- **Repository:** <https://github.com/slsa-framework/slsa-verifier>
- **Upstream docs:** <https://github.com/slsa-framework/slsa-verifier#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/slsa-framework/slsa-verifier/archive/refs/tags/v2.7.1.tar.gz>
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- slsa-verifier (cli)
- slsa-verifier (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.7.1
- Local data: ok
- Upstream repository: https://github.com/slsa-framework/slsa-verifier
- Upstream latest detected: v2.7.1 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

slsa-verifier is the SLSA project's command-line verifier for provenance attached to software artifacts. It is used in CI and release workflows to check that an artifact, image, or package was built by an expected builder from expected source inputs.

### Project history

The GitHub repository was created in March 2022 and its first public GitHub release, v0.0.1, was published in May 2022. The README describes the tool as a verifier for SLSA provenance generated by CI/CD builders, including checks of cryptographic signatures and expected builder, source repository, and ref values.

### Adoption history

The official README documents installation through Go, release binaries, a GitHub Actions installer, and a community-maintained Homebrew formula. The supplied package metadata also lists Homebrew, Nix, and zypper package names, showing distribution through both developer workstations and reproducible-build/package-manager ecosystems.

### How it is used

Common usage is to run `slsa-verifier` in a release or dependency-ingestion path to verify provenance for artifacts, containers, npm packages, Google Cloud Build output, and GitHub build-provenance attestations.

### Why package nerds care

Package maintainers care about slsa-verifier because it turns SLSA provenance, in-toto statements, and Sigstore-style attestations into a concrete command that can be wired into package publication and consumption workflows.

### Timeline

- 2022: GitHub repository created.
- 2022: v0.0.1 published as the first GitHub release.
- 2025: v2.7.1 documented in the README install examples.

### Related projects

- SLSA generator, Google Cloud Build provenance, GitHub build-provenance attestations, npm provenance, in-toto, and Sigstore are adjacent parts of the same supply-chain verification culture.

### Sources

- <https://api.github.com/repos/slsa-framework/slsa-verifier>
- <https://api.github.com/repos/slsa-framework/slsa-verifier/releases>
- <https://github.com/slsa-framework/slsa-verifier#readme>
- <https://github.com/slsa-framework/slsa-verifier/tree/main/docs>
- input.source_facts.package-manager


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** slsa-verifier
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - slsa-verifier: normalized package name match | nixpkgs package indexes: pkgs/by-name/sl/slsa-verifier/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- zypper - slsa-verifier - 2.7.1-1.4: normalized package name match | openSUSE Tumbleweed package metadata: slsa-verifier from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Verify provenance from SLSA compliant builders | https://github.com/slsa-framework/slsa-verifier


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [witness](https://www.automicvault.com/pkg/brew/witness/) - Shares av.db curated category or tags: cli, provenance, security, supply-chain, supply-chain-security.
- [chain-bench](https://www.automicvault.com/pkg/brew/chain-bench/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [opensca-cli](https://www.automicvault.com/pkg/brew/opensca-cli/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [parlay](https://www.automicvault.com/pkg/brew/parlay/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [ratify](https://www.automicvault.com/pkg/brew/ratify/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [vet](https://www.automicvault.com/pkg/brew/vet/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [zizmor](https://www.automicvault.com/pkg/brew/zizmor/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [frizbee](https://www.automicvault.com/pkg/brew/frizbee/) - Shares av.db curated category or tags: cli, security, supply-chain.

## Combined YAML source

View the package source record on GitHub. [combined/slsa-verifier.yml](https://github.com/automic-vault/db/blob/main/combined/slsa-verifier.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
