witness 0.10.2-1
Package Information
| Description | software supply chain risk management framework (program) What does Witness do? ✏️ **Attests** - Witness is a dynamic CLI tool that integrates into pipelines and infrastructure to create an audit trail for your software's entire journey through the software development lifecycle (SDLC) using the in-toto specification. **🧐 Verifies** - Witness also features its own policy engine with embedded support for OPA Rego, so you can ensure that your software was handled safely from source to deployment. What can you do with Witness? * Verify how your software was produced and what tools were used * Ensure that each step of the supply chain was completed by authorized users and machines * Detect potential tampering or malicious activity * Distribute attestations and policy across air gaps Key Features * Integrations with GitLab, GitHub, AWS, and GCP. * Designed to run in both containerized and non-containerized environments **without** elevated privileges. * Implements the in-toto specification (including ITE-5, ITE-6 and ITE-7) * An embedded OPA Rego policy engine for policy enforcement * Keyless signing with Sigstore and SPIFFE/SPIRE * Integration with RFC3161 compatible timestamp authorities * Process tracing and process tampering prevention (Experimental) * Attestation storage with Archivista (https://github.com/in- toto/archivista) This package contains the binaries. |
|---|---|
| Maintainer | Debian Go Packaging Team <team+pkg-go@tracker.debian.org> |
| Changed By | Simon Josefsson <simon@josefsson.org> |
| Sponsor | simon@josefsson.org |
| Distribution | unstable |
| Architecture | any all |
| VCS | git: https://salsa.debian.org/go-team/packages/witness.git (browse) |
| Closes | #1093252 |
| Tracker | https://tracker.debian.org/pkg/witness |
| Uploaded | 3 hours ago |
New Package Report
.changes
| Version | 0.10.2-1 |
|---|---|
| Changed-By | Simon Josefsson |
| Architecture | source all amd64 |
| Distribution | unstable |
| Date | Thu, 19 Mar 2026 17:32:24 +0100 |
| Source | witness |
Changelog
witness (0.10.2-1) unstable; urgency=medium . * Initial release (Closes: #1093252)
.dsc
| Section | golang |
|---|---|
| Priority | optional |
| Component | main |
| Package-List | golang-github-in-toto-witness-dev deb golang optional arch=all witness deb devel optional arch=any |
debian/copyright
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Source: https://github.com/in-toto/witness
Upstream-Name: witness
Files: *
Copyright: 2021 TestifySec, LLC.
2021-2025 The Witness Contributors
License: Apache-2.0
Files: debian/*
Copyright: 2025-2026 Simon Josefsson <simon@josefsson.org>
License: Apache-2.0
Comment: Debian packaging is licensed under the same terms as upstream
License: Apache-2.0
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
https://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Comment:
On Debian systems, the complete text of the Apache version 2.0 license
can be found in "/usr/share/common-licenses/Apache-2.0".