Plextrac now provides the ability for self-hosted instances to verify that the Docker images run in the environment are signed and trusted using Cosign.
Verification has been used for years with checksums on downloads from the internet. Cosign verification allows the same process but with Docker containers. This simple check provides validation and confidence that the container was built and signed by PlexTrac.
Cosign binary: Ensure this is in a location that can be used within the command line
Plextrac cosign public key saved with the following content (can be downloaded below):
To run the verification of the signature against PlexTrac's signed image, use the public key downloaded above and the following command: