Docker Content Trust (DCT) was introduced 10 years ago as a way to verify the integrity and publisher of container images using The Update Framework (TUF) and the Notary v1 project. However, the upstream Notary codebase is no longer actively maintained and the ecosystem has since moved toward newer tools for image signing and verification. Accordingly, DCT usage has declined significantly in recent years. Today, fewer than 0.05% of Docker Hub image pulls use DCT and Microsoft recently announced the deprecation of DCT support in Azure Container Registry. As a result, Docker is beginning the process of retiring DCT, beginning with Docker Official Images (DOI).
Docker is committed to improving the trust of the container ecosystem and, in the near future, will be implementing a different image signing solution for DOI that is based on modern, widely-used tools to help customers start and stay secure. Watch this blog for more information.
What This Means for You
If you pull Docker Official Images
Starting on August 8th, 2025, the oldest of DOI DCT signing certificates will begin to expire. You may have already started seeing expiry warnings if you use the docker trust commands with DOI. These certificates, once cached by the Docker client, are not subsequently refreshed, making certificate rotation impractical. If you have set the DOCKER_CONTENT_TRUST environment variable to True (DOCKER_CONTENT_TRUST=1), DOI pulls will start to fail. The workaround is to unset the DOCKER_CONTENT_TRUST environment variable. The use of docker trust inspect will also start to fail and should no longer be used for DOI.
If you publish images on Docker Hub using DCT
You should start planning to transition to a different image signing and verification solution (like Sigstore or Notation). Docker will be publishing migration guides soon to help you in that effort. Timelines for the complete deprecation of DCT are being finalized and will be published soon.
We appreciate your understanding as we modernize our security infrastructure and align with current best practices for the container ecosystem. Thank you for being part of the Docker community.