Verifying Containers

Plextrac allows self-hosted instances to verify that the Docker images run in the environment are signed and trusted using Cosign.

Verification has been used for years with checksums on downloads from the internet. Cosign verification allows the same process but with Docker containers. This simple check provides validation and confidence that the container was built and signed by PlexTrac.

Prerequisites

• Cosign binary: Ensure this is in a location that can be used within the command line

• Plextrac cosign public key saved with the following content (can be downloaded below):

Verification Process

To verify the signature against PlexTrac's signed image, use the public key downloaded above and the following command:

cosign verify --key plextrac_cosign.pub** docker.io/plextrac/plextracapi:stable | jq .

**Replace this filename with the value the key was saved as.

If using "jq," the output would be:

For CI/CD or other purposes, the signed hash can be extracted to ensure the image is verified, such as the following:

cosign verify --key plextrac_cosign.pub docker.io/plextrac/plextracapi:stable | jq '.[].critical.image | .[]'

The output would be: