Docker Content Trust Retired as Alternatives Flourish

Write for InfoQ

With usage of Docker Content Trust (DCT) declining, and other similar offerings superseding its functionality and ease-of-use, Docker has announced the retirement of Docker Content Trust (DCT). Docker is recommending that organisations using DCT should move to alternatives such as Sigstore or Notation.

DCT works by allowing image publishers to digitally sign their container images using private keys, which are then verified through public keys stored in registries via a Docker Notary server. DCT checks these digital signatures during image pulls to create a chain of trust that helps protect against tampering and ensures images originate from trusted sources. This process prevents the deployment of unsigned container images. DCT was introduced in 2015 as a verification system using The Update Framework (TUF) and was donated as an incubating project "Notary" to the Cloud Native Computing Foundation.

Usage has declined significantly, according to Docker's announcement. Brian Pratt from Docker stated: "Today, fewer than 0.05% of Docker Hub image pulls use DCT and Microsoft recently announced the deprecation of DCT support in Azure Container Registry."

Pratt explained the reasons for retiring DCT:

The upstream Notary codebase is no longer actively maintained and the ecosystem has since moved toward newer tools for image signing and verification.

- Brian Pratt

The retirement began on 8 August, 2025, when the oldest DCT signing certificates for Docker Official Images started expiring. Users with the DOCKER_CONTENT_TRUST environment variable enabled will experience pull failures and must now turn off this setting. The docker trust inspect command also stopped working for Docker Official Images.

For organisations looking to replace DCT or implement its functionality, there are a number of choices, with an article from Snyk documenting several possible alternatives. Sigstore Cosign offers keyless signing through OIDC identities and transparency logs, and thus, it doesn't have the complexity of managing keys with ephemeral keys. Cosign provides a decentralised and federated trust delegation model with strong community support, making it suitable for organisations prioritising secure and transparent software updates across multiple registries.

Sigstore architecture

The Notary Project provides specifications and tools for securing software supply chains. Notary V2 (Notation) offers a specification-driven approach for signing and verifying container images that supports multiple signatures and integrates into existing PKI. DCT only supported one signature per image, meaning organisations could not add additional approval signatures if vendors had already signed images. Unlike DCT, Notary v2 enables validation through multiple signatures, allowing organisations to add approval chains. However, the project needs more complex setup involving TLS certificates and TUF key management.

Microsoft's Azure Container Registry team has provided a concrete example of the transition timeline. Starting on 30th September, 2025, customers cannot enable Docker Content Trust on new registries, and all DCT data will be permanently deleted on 31 March, 2028, when the feature is completely removed. In this Github pull request, Azure promotes migration to the Notary Project ecosystem, specifically the Notation tool. This will bring advantages like OCI standards compliance, Azure Key Vault integration for key management, and CI/CD pipeline integration.

Setting up DCT required a complete infrastructure, including a Notary server, a Notary signer, a Notary client, and a MySQL database with mutual TLS configuration. Also, signing data was lost when moving images between registries without accompanying Notary servers, which limited the interoperability of DCT. Nigel Douglas writes at All Things Open on how modern alternatives go some way to addressing these limitations through improved interoperability, better key management, and better integration into development workflows. Sigstore stores all signatures in public registries for transparency and auditability, and supports most production registries. Notary v2 provides comprehensive cross-registry specifications for signing OCI images, though registry support is still limited.

Docker plans to implement a modern image signing solution for Docker Official Images using contemporary tools, though details of this have yet to be announced.

Related Topics:

• DevOps
• Containers
• Code Signing
• Docker

We protect your privacy.