Find Docker Content Trust before Notary v1 shuts down
Docker is retiring Docker Content Trust and the notary.docker.io Notary v1 service, with brownouts before the December 8, 2026 shutdown. Teams that enabled DCT need to migrate to digest pinning, Cosign, or Notation.
Docker has confirmed that Docker Content Trust and the notary.docker.io Notary v1 service are being retired. Confidence level: confirmed. Normal docker pull and docker push workflows are not affected unless your team deliberately enabled DCT, but CI/CD systems that still depend on DOCKER_CONTENT_TRUST=1 or docker trust commands need a migration plan.
What changed
Docker's June 16, 2026 guidance says Docker Content Trust and the Notary v1 service at notary.docker.io are being fully retired. The Docker docs now carry the same warning and state that the Notary v1 service will shut down on December 8, 2026.
The practical risk is narrow but real. DCT was opt-in, so most users are not affected. Teams that sign or verify image tags with DCT, run docker trust sign, use docker trust inspect, or set DOCKER_CONTENT_TRUST=1 in CI can hit broken signing or verification flows during brownouts and shutdown.
| Item to check | Why it matters | Safer direction | Caveat |
|---|---|---|---|
DOCKER_CONTENT_TRUST=1 | Forces DCT verification in Docker CLI workflows | Remove or replace with modern verification | Do not remove without checking deployment controls |
docker trust sign | Depends on Notary v1 signing | Move signing to Cosign or Notation | Key and policy model will change |
| Admission policies | May expect DCT signatures | Test Cosign, Notation, Kyverno, Ratify, or Gatekeeper | Cluster policy changes need staged rollout |
| Image repeatability | DCT signed tags may mask tag drift concerns | Pin image digests | Digest pinning does not prove publisher identity |
Why this is early
This is not a new feature announcement; it is a migration clock. Docker says DCT was first put on a retirement path in 2025, and the 2026 guidance gives affected teams a concrete shutdown target. Microsoft and Cloudsmith had already pointed users toward Notary Project, Notation, Sigstore, and Cosign for modern image-signing workflows.
It is early enough to audit before the deadline. Search now, because the risky cases are usually hidden in CI variables, old shell profiles, release scripts, registry documentation, or Kubernetes admission policies written years ago.
Key takeaways
- Docker Content Trust is being retired, and
notary.docker.iois scheduled to shut down on December 8, 2026. - Ordinary Docker pulls and pushes are not affected unless DCT is enabled.
- DCT usage often appears as
DOCKER_CONTENT_TRUST=1ordocker trustcommands in automation. - Docker points users toward digest pinning, Sigstore/Cosign, and Notation-style OCI-native signing patterns.
- Treat this as a supply-chain migration, not a quick variable cleanup, if production policy depends on signed images.
Availability and access
There is no new product access to request. The current task is inventory and migration. Docker's DCT docs remain available for now, but the service backing Notary v1 is on a retirement path. Teams should confirm exact brownout and shutdown timing from Docker's post before scheduling production changes.
If your organization uses Azure Container Registry, Microsoft's guidance already explains its own DCT deprecation path and recommends Notary Project and Notation-based signing and verification. That makes this broader than Docker Hub: image-signing strategy should be portable across registries, CI, and Kubernetes enforcement.
Practical LinkLoot angle
Run a source search before the next release freeze. Look for DOCKER_CONTENT_TRUST, docker trust, notary.docker.io, and old Notary v1 configuration in CI variables, GitHub Actions, GitLab CI, Jenkins, shell profiles, deployment scripts, Compose files, and Kubernetes policy repos.
For teams standardizing agent-assisted DevOps work, add this to your AI workflow automation checks: agents can help find references and draft migration pull requests, but a human security owner should approve any change that affects image verification or admission control.
| Migration path | Best fit | What to test first | Limit |
|---|---|---|---|
| Disable DCT only | Teams that accidentally inherited DCT | Pull and deploy behavior in CI | Removes verification without replacing it |
| Pin digests | Reproducible image pulls | Build, deploy, rollback path | Does not verify publisher identity |
| Cosign | OSS-style signing and transparency workflows | Keyless or key-backed signing policy | Requires policy integration |
| Notation | Enterprise PKI and OCI-native signatures | Registry and cluster verification | Certificate trust needs governance |
What to verify before you act
- Confirm whether DCT is enabled in shells, CI/CD variables, release scripts, and deployment workers.
- Check Docker's current retirement post for brownout windows and the final shutdown date.
- Identify whether any production gate depends on DCT signatures before removing variables.
- Test Cosign or Notation in a staging registry and staging cluster before changing production policy.
- Document the fallback plan for image pulls, rollbacks, and emergency patches during the migration.
Source check
Confirmed by: Docker's retirement guidance says Docker Content Trust and the Notary v1 service are being retired, and Docker's own documentation warns that notary.docker.io will shut down on December 8, 2026. Docker also explains that DCT was opt-in and ordinary image pulls do not use the Notary service unless DCT is enabled.
Independent context: Microsoft's Azure Container Registry guidance documents a separate DCT deprecation path and points users toward Notary Project and Notation. Cloudsmith's migration guide adds supply-chain context around moving from DCT toward Sigstore/Cosign. LinkLoot will treat new Docker brownout dates, shutdown changes, or registry-specific migration updates as follow-up triggers.
Yes. Docker says Docker Content Trust and the Notary v1 service at notary.docker.io are being retired, with shutdown scheduled for December 8, 2026.