Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Container Registry will retire Docker Content Trust (DCT) on March 31, 2028. To help with this transition, this article provides guidance for how to disable DCT and adopt Notary Project to sign and verify container images.
DCT deprecation
DCT allows image publishers to sign their images and allows image consumers to verify that the images they pull are signed. With advancements in technology, DCT no longer meets the requirements of modern supply-chain security for containers. As a result, deprecation of DCT started on March 31, 2025. DCT will be completely removed from Azure Container Registry on March 31, 2028.
As an alternative to DCT, Microsoft offers signing and verification solutions based on Notary Project. Notary Project is a set of specifications and tools that provide a cross-industry standard for securing software supply chains by using authentic container images and other Open Container Initiative (OCI) artifacts.
Notation, a tool from Notary Project, implements Notary Project specifications. It includes a command-line interface (CLI) and libraries for signing and verifying container images and artifacts. The benefits of using the Notary Project solutions to ensure the integrity and authenticity of container images include:
- Portability and interoperability: Notary Project signatures adhere to OCI standards and can be stored in OCI-compliant registries like Container Registry. These capabilities facilitate signature portability and interoperability across cloud environments.
- Secure key management: You can use Azure Key Vault to manage your signing keys and certificates.
- Integration with continuous integration and continuous delivery (CI/CD) pipelines: Implement signing in your CI/CD pipelines, including Azure DevOps and GitHub workflows.
- Comprehensive verification: Verify container images within your CI/CD pipelines (such as Azure DevOps and GitHub workflows) and on Azure Kubernetes Service (AKS) to prevent the use and deployment of untrusted images.
Disable DCT
Before you can transition to the Notation Project solutions, you have to disable DCT. Use any of the following methods:
Disable DCT from the shell by setting the
DOCKER_CONTENT_TRUSTenvironment variable to0. For example, in the Bash shell, use this command:export DOCKER_CONTENT_TRUST=0Alternatively, you can unset the environment variable:
unset DOCKER_CONTENT_TRUSTDisable DCT from the Azure portal. Go to the registry, and then under Policies, select Content Trust > Disabled > Save.
Disable DCT by using the Azure CLI:
az acr config content-trust update -r myregistry --status disabled
Use Notary Project to sign and verify container images
After you disable DCT, you can sign and verify container images by using Notary Project. Use the following references to get started.
Sign container images:
- To use Key Vault with self-signed certificates, see Sign container images by using Notation, Azure Key Vault, and a self-signed certificate.
- To use Key Vault with certificates issued by a certificate authority (CA), see Sign container images by using Notation, Azure Key Vault, and a CA-issued certificate.
- To sign in Azure DevOps pipelines, see Sign and verify a container image by using Notation in an Azure pipeline.
- To sign in GitHub workflows, see Sign a container image by using Notation in GitHub Actions.
Verify container images:
- To verify in Azure DevOps pipelines, see Sign and verify a container image by using Notation in an Azure pipeline.
- To verify in GitHub workflows, see Verify a container image by using Notation in GitHub Actions.
- To verify on AKS, see Verify container image signatures by using Ratify and Azure Policy.