Fewer than 0.05% of Docker Hub pulls still rely on Docker Content Trust, so Docker is finally pulling the plug on its decade-old image signing service. DCT and the Notary v1 server at notary.docker.io will be fully retired by December 8, 2026. If you never set DOCKER_CONTENT_TRUST=1 or typed docker trust sign, you can stop reading now.
Why DCT Is Finally Dead
DCT shipped in 2015, built on The Update Framework and the upstream Notary v1 project. That upstream codebase is no longer maintained. The ecosystem standardized on OCI-native signing tools like Sigstore/Cosign and the Notary Project's Notation, which store signatures alongside the image in any compliant registry with no separate trust infrastructure. Microsoft deprecated DCT in Azure Container Registry ages ago; Harbor dropped Notary v1 support too. Docker is the last domino.
The Timeline: Brownouts Then Shutdown
Docker is running dry runs first. Writes go dark before reads, so publishers get the earliest warning. Mark your calendar:
- July 14, 2026: 4-hour write brownout (8 AM Pacific)
- July 15, 2026: 4-hour write brownout
- August 10, 2026: 4-hour read brownout
- August 12, 2026: 4-hour read brownout
- December 8, 2026: Full shutdown
Ordinary docker pull and docker push keep working through these windows. Only DCT trust operations break.
Your Migration Menu: Cosign, Notation, or Digests
Three options, depending on how much verification you need.
Quickest fix: unset DOCKER_CONTENT_TRUST everywhere - shell profiles, CI/CD configs, Compose files, K8s manifests. That removes tag-level verification but keeps everything running.
Digest pinning: pull by digest (busybox@sha256:f85340bf...) instead of tags. Immutable, guarantees exact content. Does not prove publisher identity, but eliminates tag mutability risk.
Real signing: adopt Sigstore/Cosign or Notation. Both store signatures as OCI artifacts alongside the image in the registry. Cosign uses OIDC-backed short-lived certificates; Notation uses a certificate-based PKI model. Both are actively maintained, unlike DCT.
For production enforcement, pair Cosign with Kyverno or Notation with Ratify + Gatekeeper to block unsigned images from reaching pods.
If you are a Docker Hub publisher currently signing images with DCT, Docker will not provide replacement signatures. You must adopt Cosign or Notation yourself. If you consume third-party images signed with DCT, contact the publisher to ask about their migration plans.
One free upgrade: Docker Hardened Images (DHI) ship with cryptographic signatures, provenance attestations, and SBOMs built in. Switching to DHI as base images replaces DCT verification and gives you a continuously patched minimal image. No extra tooling needed.
Brownouts start in less than a month. Migrate before the first write outage hits your pipeline.
Source: Docker Content Trust: Retirement and Migration Guidance
Domain: docker.com
Comments load interactively on the live page.