# Install witness with Homebrew, Nix

Automates, normalizes, and verifies software artifact provenance. Version 0.11.0 via Homebrew; verified 2026-04-14.

## Install

```sh
sudo av install brew:witness
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install witness
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#witness
```

  Evidence: nixpkgs package indexes: pkgs/by-name/wi/witness/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:witness
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/witness>
- **Version:** 0.11.0
- **Source summary:** Automates, normalizes, and verifies software artifact provenance
- **Homepage:** <https://witness.dev>
- **Repository:** <https://github.com/in-toto/witness>
- **Upstream docs:** <https://witness.dev/>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/in-toto/witness/archive/refs/tags/v0.11.0.tar.gz>
- **Last updated:** 2026-04-14T22:15:45Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- witness (cli)
- witness (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.11.0
- Package-manager updated: 2026-04-14
- Local data: ok
- Upstream repository: https://github.com/in-toto/witness
- Upstream latest detected: v0.11.0 (current)
## Project history and usage

Witness is an in-toto supply-chain security CLI for producing and verifying attestations about software artifacts and build steps. The project describes itself as a pluggable framework that automates, normalizes, and verifies software artifact provenance, combining attestation generation with a policy engine.

### Project history

Witness originated at TestifySec and was later donated to the CNCF in-toto ecosystem. TestifySec's open-source statement dates the formal donation of Witness and Archivista to January 2024, after ratification by the in-toto steering committee, giving the project community governance under the same ecosystem as the in-toto specification.

### Adoption history

Witness sits inside the broader in-toto adoption story. CNCF records in-toto as accepted on August 14, 2019, moved to Incubating on March 10, 2022, and Graduated on February 10, 2025. That matters for Witness because it implements the in-toto specification in a CLI intended for real pipelines, and its README points users to CNCF Slack channels and open community meetings rather than a vendor-only support path.

The project is also tied to adjacent supply-chain standards and systems. The Witness README lists support for in-toto enhancement work, OPA Rego policy, Sigstore and SPIFFE/SPIRE signing paths, timestamp authorities, and Archivista storage, reflecting the post-SolarWinds era movement toward verifiable build provenance, signed attestations, and policy-driven release gates.

### How it is used

A typical Witness workflow runs a command under `witness run` during a build or release step, collects attestations from configured attestors, signs them, and later verifies the resulting collection against a signed policy. The goal is to answer who performed a supply-chain step, what materials and products were involved, and whether the step satisfied policy before an artifact is trusted or deployed.

### Why package nerds care

For package and release engineers, Witness is significant because it turns provenance from a document attached at the end of a release into machine-verifiable metadata emitted by each lifecycle step. It is part of the same tooling vocabulary as SLSA provenance, Sigstore signing, OPA/Rego policy, and SBOM/attestation storage, making it a package-nerd tool for proving how an artifact came to exist.

### Timeline

- 2021-12-03: the current GitHub repository was created.
- 2024-01: TestifySec donated Witness and Archivista as in-toto subprojects.
- 2025-02-10: in-toto reached CNCF Graduated maturity, strengthening the ecosystem context around Witness.

### Sources

- <https://api.github.com/repos/in-toto/witness>
- <https://github.com/in-toto/witness>
- <https://witness.dev/>
- <https://www.cncf.io/projects/in-toto/>
- <https://www.testifysec.com/opensource/>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** witness
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - witness: normalized package name match | nixpkgs package indexes: pkgs/by-name/wi/witness/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [slsa-verifier](https://www.automicvault.com/pkg/brew/slsa-verifier/) - Shares av.db curated category or tags: cli, provenance, security, supply-chain, supply-chain-security.
- [chain-bench](https://www.automicvault.com/pkg/brew/chain-bench/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [opensca-cli](https://www.automicvault.com/pkg/brew/opensca-cli/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [parlay](https://www.automicvault.com/pkg/brew/parlay/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [ratify](https://www.automicvault.com/pkg/brew/ratify/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [vet](https://www.automicvault.com/pkg/brew/vet/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [zizmor](https://www.automicvault.com/pkg/brew/zizmor/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [frizbee](https://www.automicvault.com/pkg/brew/frizbee/) - Shares av.db curated category or tags: cli, security, supply-chain.

## Combined YAML source

View the package source record on GitHub. [combined/witness.yml](https://github.com/automic-vault/db/blob/main/combined/witness.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
