gittuf is an open-source security project that hardens the Git ecosystem by adding cryptographically verifiable policies to every clone, fetch, and push operation. Its two utilities form a minimal but tightly integrated toolchain: the core gittuf runtime enforces rule-based access controls, mandatory commit signing, and immutable reference histories inside any repository, while git-remote-gittuf supplies a custom transfer protocol that streams these guarantees across the network. Together they let development teams treat policy as code—defining who can update branches, which keys must sign tags, and how history can be rewritten—without altering existing Git workflows. Typical use cases include supply-chain protection for public projects, policy-driven release engineering in regulated industries, and secure forking workflows in enterprise environments where traditional ACLs are too coarse. By layering transparent signature verification and tamper-evident metadata atop standard Git refs, gittuf converts ordinary repositories into hardened artifacts that continuous-integration systems, package managers, and auditors can trust. The software is available for free on get.nero.com; downloads are delivered through trusted Windows package sources such as winget, always fetch the latest upstream release, and may be installed individually or in unattended batch sessions.