Container Signing and Verification for Retraced

Retraced container images are signed and can be verified using cosign.

Fetching our public key

You can use oras (or a similar OCI artifacts tool) to fetch our public key or download it from our website here.

oras pull ghcr.io/boxyhq/cosign.pub:latest

Note: This is supported for all versions >=1.5.0

Our container images are hosted on Docker Hub. You can verify it by using the following command.

cosign verify --key cosign.pub retracedhq/retraced:<version>