gitsign
« Back to VersTracker
Description:
Keyless Git signing using Sigstore
Type: Formula  |  Latest Version: 0.13.0@0  |  Tracked Since: Dec 25, 2025
Links: Homepage  |  GitHub  |  @sigstore  |  formulae.brew.sh
Stars: 1,044  |  Forks: 73  |  Language: Go  |  Category: Security
Tags: git security signing sigstore devops supply-chain
Install: brew install gitsign
About:
Gitsign is a Git signing tool that leverages Sigstore's keyless framework to sign Git commits and tags using OpenID Connect (OIDC) identity tokens. Instead of managing traditional GPG keys, it integrates with Sigstore's Fulcio and Rekor services to create ephemeral certificates tied to your identity. This approach significantly simplifies the signing process while providing a verifiable, transparent software supply chain.
Key Features:
  • Keyless signing using OIDC identity (GitHub, Google, etc.)
  • Automatic transparency logging via Rekor
  • Drop-in replacement for GPG signing workflows
  • Verifiable commit signatures without key distribution
Use Cases:
  • Securing Git commits in CI/CD pipelines without managing long-lived keys
  • Establishing developer identity in open source contributions
  • Creating a tamper-proof audit trail for repository history
Alternatives:
  • GPG – Traditional key management is complex; Gitsign eliminates key distribution overhead
  • SSH signing – Requires SSH key infrastructure; Gitsign uses identity providers instead
Version History
Detected Version Rev Change Commit
Dec 25, 2025 6:01pm 0.13.0 0 VERSION_BUMP 0a685be3
Sep 11, 2025 2:28pm 0 VERSION_BUMP 761ffcdd
Oct 23, 2024 9:34pm 0 VERSION_BUMP b3f9db45