"DCT works by allowing image publishers to digitally sign their container images using private keys, which are then verified through public keys stored in registries via a Docker Notary server. DCT checks these digital signatures during image pulls to create a chain of trust that helps protect against tampering and ensures images originate from trusted sources. This process prevents the deployment of unsigned container images."
"Usage has declined significantly, according to Docker's announcement. Brian Pratt from Docker stated: "Today, fewer than 0.05% of Docker Hub image pulls use DCT and Microsoft recently announced the deprecation of DCT support in Azure Container Registry." Pratt explained the reasons for retiring DCT: The upstream Notary codebase is no longer actively maintained and the ecosystem has since moved toward newer tools for image signing and verification. - Brian Pratt"
Docker Content Trust (DCT) is being retired due to steeply declining usage and a shift in the ecosystem toward newer image-signing tools. DCT allowed image publishers to sign container images with private keys and verify them via public keys stored in registries through a Docker Notary server, creating a chain of trust to prevent unsigned image deployment. Usage fell to fewer than 0.05% of Docker Hub pulls and Azure Container Registry deprecated DCT support. Retirement began on 8 August 2025 when the oldest DCT signing certificates for Docker Official Images expired, causing pull failures for users with DOCKER_CONTENT_TRUST enabled. Docker recommends migration to alternatives such as Sigstore, Notation, or Cosign.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]