Docker has announced the retirement of Docker Content Trust (DCT) and the underlying Notary v1 service at notary.docker.io, first communicated in July 2025. DCT, introduced a decade ago, provided early mechanisms for image signing and verification. As of now, the service is no longer accepting new signatures, and full retirement will proceed, impacting users relying on DCT for supply chain security.
For developers, this means any workflows or CI/CD pipelines that depend on DCT must be updated. Docker recommends migrating to Sigstore-based solutions, such as Docker Content Trust via Notation or direct integration with Sigstore's keyless signing. The company provides detailed migration steps, including how to re-sign images and update Docker Engine client configurations. This change aligns with the industry shift toward more flexible and OSS-backed signing standards.
What developers need to do:
- Migrate immediately – No new signatures are accepted under the old system.
- Re-sign images using Sigstore or Notation.
- Update Docker Engine client configuration to point to new trust services.
- Audit CI/CD pipelines to remove DCT dependencies and adopt Sigstore commands (
cosign sign,notation sign).
Why it matters:
Relying on soon-to-be-retired services can break build and deployment pipelines. By moving to Sigstore, teams gain cross-registry signing with short-lived certificates, improving security and interoperability. Docker emphasizes that no new signatures will be accepted under the old system, so immediate action is advised for any projects still using DCT.
Source: https://www.docker.com/blog/docker-content-trust-retirement-and-migration-guidance/