Docker is completing the retirement of Docker Content Trust (DCT) and its upstream Notary v1 service, marking a shift to newer signing standards like Sigstore/Cosign and Notation. This transition impacts workflows that still rely on DCT, though the majority of users remain unaffected.
- DCT and Notary v1 retiring in July 2025 after years of deprecation
- Use OCI-native signing tools like Sigstore/Cosign or Notation as replacements
- Disable DCT and adopt digest pinning for immutable image verification
Infrastructure signal
Docker Content Trust relied on the Notary v1 server to provide image signing and verification based on The Update Framework (TUF). This infrastructure, launched in 2015, enabled cryptographic verification of Docker images via a separate trust service. The Notary v1 service at notary.docker.io is now fully deprecated and will be retired by July 2025, reflecting its unmaintained status and the overall ecosystem move away from external trust servers.
Modern container registries and image signing approaches embed signatures directly within OCI-compliant registries, eliminating the need for a dedicated trust server. Key cloud providers and registry platforms like Azure Container Registry and Harbor have already discontinued Notary v1 support. This retirement allows Docker and the broader ecosystem to concentrate resources on standards-compliant, in-registry signing tools that simplify infrastructure and increase security.
Developer impact
For most developers who do not explicitly enable Docker Content Trust or set the DOCKER_CONTENT_TRUST environment variable, this change causes no disruption. Standard docker pull and push operations remain unaffected. However, users who have integrated DCT into their workflows for image signing and verification must transition to alternate solutions to maintain trust guarantees.
The recommended migration path includes disabling DCT to unblock image consumption immediately, though this removes tag-level verification. Developers should then adopt cryptographic signing tools such as Sigstore/Cosign or the Notary Project’s Notation, both actively maintained and supporting signatures stored alongside images in registries. Additionally, pinning image references via immutable digests ensures content integrity and reproducible builds, a critical step in modern container deployment pipelines.
What teams should watch
Teams relying on Docker Content Trust need to carefully review their CI/CD pipelines, shell environments, container orchestration configurations, and other deployment manifests for any use of the DOCKER_CONTENT_TRUST variable or docker trust commands. Early staged brownouts will phase out write operations before reads, providing a window to detect and remediate reliance on the retiring service without impacting standard docker workflows.
Beyond simply disabling DCT, teams should plan adoption of OCI-native signing workflows that embed signatures alongside images, improving security posture and simplifying infrastructure. Observability and deployment reliability will benefit from immutable digest pinning combined with cryptographically verifiable signatures, aligning with modern container supply chain best practices. Teams that delay migration risk broken signing workflows and gaps in image authenticity verification post-retirement.