Retiring Docker Content Trust
Docker Content Trust (DCT) was introduced 10 years ago as a way to verify the integrity and publisher of container images using The Update Framework (TUF) and the Notary v1 project. However, the upstream Notary codebase is no longer actively maintained and the ecosystem has since moved toward newer tools for image signing and verification. Accordingly, DCT usage has declined significantly in recent years. Today, fewer than 0.05% of Docker Hub image pulls use DCT and Microsoft recently announced the deprecation of DCT support in Azure Container Registry. As a result, Docker is beginning the process of retiring DCT, beginning with Docker Official Images (DOI).
Docker is committed to improving the trust of the container ecosystem and, in the near future, will be implementing a different image signing solution for DOI that is based on modern, widely-used tools to help customers start and stay secure. Watch this blog for more information.
What This Means for You
If you pull Docker Official Images
Starting on August 8th, 2025, the oldest of DOI DCT signing certificates will begin to expire. You may have already started seeing expiry warnings if you use the docker trust commands with DOI. These certificates, once cached by the Docker client, are not subsequently refreshed, making certificate rotation impractical. If you have set the DOCKER_CONTENT_TRUST environment variable to True (DOCKER_CONTENT_TRUST=1), DOI pulls will start to fail. The workaround is to unset the DOCKER_CONTENT_TRUST environment variable. The use of docker trust inspect will also start to fail and should no longer be used for DOI.
If you publish images on Docker Hub using DCT
You should start planning to transition to a different image signing and verification solution (like Sigstore or Notation). Docker will be publishing migration guides soon to help you in that effort. Timelines for the complete deprecation of DCT are being finalized and will be published soon.
We appreciate your understanding as we modernize our security infrastructure and align with current best practices for the container ecosystem. Thank you for being part of the Docker community.
Related Posts
-
May 12, 2026
Docker AI Governance: Unlock Agent Autonomy, Safely
Introducing Docker AI Governance: centralized control over how agents execute, what they can reach on the network, which credentials they can use, and which MCP tools they can call, so every developer in your company can run AI agents safely, wherever they work. Your laptop is the new prod Agents are the biggest productivity unlockβ¦
Srini SekaranRead now
-
Jun 11, 2026
Docker Hardened Images enhanced vulnerability scanning with Docker and Aikido
Aikido now scans Docker Hardened Images (DHI) with built-in VEX support. Vulnerabilities that Docker has verified as non-exploitable drop out of the queue automatically, so developers spend their time on findings that actually matter. This post walks through what changed, why it matters, and how users can benefit from the new integration. Why teams areβ¦
Dan StelzerandBjorn HovdRead now
-
Jun 8, 2026
5 Software Supply Chain Security Best Practices for Development Teams
Learn the key software supply chain security best practices for container-based delivery, from trusted base images and dependency management to build provenance and runtime monitoring.
Aditya TripathiRead now
-
Jun 5, 2026
What is AI Governance? Frameworks, Principles, and Best Practices
Learn what AI governance is, why it matters, and how to manage AI systems safely and at scale.
Srini SekaranRead now
