Docker: Retiring Docker Content Trust

Jul 29, 2025

—

Source URL: https://www.docker.com/blog/retiring-docker-content-trust/
Source: Docker
Title: Retiring Docker Content Trust

Feedly Summary: Docker Content Trust (DCT) was introduced 10 years ago as a way to verify the integrity and publisher of container images using The Update Framework (TUF) and the Notary v1 project. However, the upstream Notary codebase is no longer actively maintained and the ecosystem has since moved toward newer tools for image signing and verification….

AI Summary and Description: Yes

Summary: Docker Content Trust (DCT) is being deprecated due to its declining usage and maintenance issues. This shift is significant for professionals in cloud computing and image security, as it signals a move towards modern image signing solutions.

Detailed Description:
Docker Content Trust (DCT) was designed to enhance security by verifying the integrity and publisher of container images. However, with the rise of new tools and the decline in DCT’s utilization, Docker has decided to retire this feature. The deprecation of DCT will have several implications for users and developers who rely on Docker Official Images (DOI) and DCT for image signing.

Key Points:

– **DCT Overview**:
– Introduced 10 years ago using The Update Framework (TUF) and Notary v1 project.
– Aim: Verify integrity and publisher of container images.

– **Current Trends**:
– Significant decline in DCT usage, with less than 0.05% of Docker Hub image pulls relying on it.
– Microsoft has deprecated DCT support in Azure Container Registry, further prompting Docker to retire DCT.

– **Future Plans**:
– Docker is exploring alternative image signing solutions that utilize modern tools.
– The transition period begins, with specific timelines for DCT’s complete deprecation to be announced.

– **Implications for Users**:
– Users pulling Docker Official Images will need to be aware that from August 8th, 2025, older DCT signing certificates will expire.
– Failure to refresh these certificates means users must unset the DOCKER_CONTENT_TRUST environment variable to avoid disruptions.
– Users currently publishing images using DCT are encouraged to plan a move to alternative solutions (e.g., Sigstore or Notation) with future migration guides from Docker.

– **Community Engagement**:
– Docker emphasizes their commitment to enhancing security in the container ecosystem and thanks the community for their understanding during this transition.

This development indicates a broader push towards modern practices in container image security, vital for professionals managing cloud infrastructure and security processes.

1 10 2 2025 5 a Act age AGI AI alt and Aria as at ated aware Azure Azure Container Registry being by C certificate certificates CI CIA Cloud cloud computing cloud infrastructure co code codebase commit community community engagement Computing container container image container images content Current D de Deprecation design developer developers development disruption Docker Docker Content Trust Docker Hub e ecosystem end engagement environment exp fail feature for framework future g GIS Go gs H http HTTPS image image pulls image security implications in infrastructure integrity io Iron issue J k Key l led Li long M maintenance man mean Micro Microsoft migration Mode Modern Modern Tools N native native solutions new no Notary v1 project Notation o of off on OPM oS over per point practices pre pro process processes professionals project prompt Prompting ps publishing R rag RCE re Registry Ro Rust s sec security shift Sig Signal SigStore size sizes solutions source specific SSE support system T ted the The Update Framework Time to tool tools Tor TP transition trends trust UI under up update ups US usage use user Users utilization V verification Ware Wi x z