macOS
brew install witnesslocal Homebrew formula metadata
brew
Automates, normalizes, and verifies software artifact provenance. Version 0.11.0 via Homebrew; verified 2026-04-14.
install
brew install witnesslocal Homebrew formula metadata
nix profile install nixpkgs#witnessnixpkgs package indexes · pkgs/by-name/wi/witness/package.nix · source: api.github.com
overview
Automates, normalizes, and verifies software artifact provenance
history
Witness is an in-toto supply-chain security CLI for producing and verifying attestations about software artifacts and build steps. The project describes itself as a pluggable framework that automates, normalizes, and verifies software artifact provenance, combining attestation generation with a policy engine.
Witness originated at TestifySec and was later donated to the CNCF in-toto ecosystem. TestifySec's open-source statement dates the formal donation of Witness and Archivista to January 2024, after ratification by the in-toto steering committee, giving the project community governance under the same ecosystem as the in-toto specification.
Witness sits inside the broader in-toto adoption story. CNCF records in-toto as accepted on August 14, 2019, moved to Incubating on March 10, 2022, and Graduated on February 10, 2025. That matters for Witness because it implements the in-toto specification in a CLI intended for real pipelines, and its README points users to CNCF Slack channels and open community meetings rather than a vendor-only support path.
The project is also tied to adjacent supply-chain standards and systems. The Witness README lists support for in-toto enhancement work, OPA Rego policy, Sigstore and SPIFFE/SPIRE signing paths, timestamp authorities, and Archivista storage, reflecting the post-SolarWinds era movement toward verifiable build provenance, signed attestations, and policy-driven release gates.
A typical Witness workflow runs a command under `witness run` during a build or release step, collects attestations from configured attestors, signs them, and later verifies the resulting collection against a signed policy. The goal is to answer who performed a supply-chain step, what materials and products were involved, and whether the step satisfied policy before an artifact is trusted or deployed.
For package and release engineers, Witness is significant because it turns provenance from a document attached at the end of a release into machine-verifiable metadata emitted by each lifecycle step. It is part of the same tooling vocabulary as SLSA provenance, Sigstore signing, OPA/Rego policy, and SBOM/attestation storage, making it a package-nerd tool for proving how an artifact came to exist.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
witness | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/in-toto/witness
install metadata
| Package key | brew:witness |
|---|---|
| Version | 0.11.0 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/witness |
| Homepage | https://witness.dev |
| Repository | https://github.com/in-toto/witness |
| Upstream docs | https://witness.dev/ |
| License | Apache-2.0 |
| Source archive | https://github.com/in-toto/witness/archive/refs/tags/v0.11.0.tar.gz |
| Last updated | 2026-04-14T22:15:45Z |
| Pulse | updated |
| Build dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | witness |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
witness
nix profile install nixpkgs#witnesssource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.