Container Signing and Verification for Retraced
Retraced container images are signed and can be verified using cosign.
Fetching our public key
oras pull ghcr.io/boxyhq/cosign.pub:latest
Note: This is supported for all versions >=1.5.0
Our container images are hosted on Docker Hub. You can verify it by using the following command.
cosign verify --key cosign.pub retracedhq/retraced:<version>