Docker Content Trust Retirement Migration — when and how should I migrate?
Choose what image-signing and verification path should replace Docker Content Trust now that Docker has begun retiring it, starting with Docker Official Images.
Blockers
- breaking_change_in: capability/docker-content-trust → capability/docker-official-images
- requires_version: package/cosign → vendor/sigstore
- Lock-in via protocol/oci
- capability/docker-content-trust — EOL 2028-03-31
- breaking_change_in: capability/docker-content-trust → capability/azure-container-registry
Who this is for
- compliance
- enterprise
- small-team
Candidates
Migrate to Sigstore with Cosign
Sigstore's official quickstart recommends Cosign as the CLI for signing and verifying software artifacts, including container images. Docker's own current hardened-image signing docs use Cosign and state that images can be signed with OIDC-backed short-lived certificates and transparency-log recording. Docker's DCT retirement notice explicitly names Sigstore as a replacement path, and as of 2026-04-02 Docker Official Image DCT certificate expiry has already begun causing failures for users who still pull DOI with DOCKER_CONTENT_TRUST=1. Official docs linked here do not present a standalone tool license price; check official docs for any registry, KMS, or enterprise policy-controller costs.
When to choose
Use this when you want the lowest-friction modern replacement for image signing across mixed registries and CI systems, especially if keyless OIDC signing is acceptable. It is the stronger default when you want to align with where Docker itself is already using Cosign for Docker Hardened Images.
Tradeoffs
Strong ecosystem momentum and simple developer workflow are the main advantages. The tradeoff is that admission and trust-policy enforcement usually requires separate policy tooling, and some enterprises may prefer X.509 and policy primitives that map more directly onto existing PKI processes.
Cautions
As of 2026-04-02, Docker Official Image DCT expiry has already occurred in practice, so keeping DCT enabled for DOI pulls is a breakage risk, not a future risk. Do not treat Cosign adoption as a drop-in fix for old tag-based DCT behavior; verify by digest and update CI, admission, and provenance policies together.
Migrate to Notary Project with Notation
Docker's DCT retirement docs also name Notation as a replacement, and Microsoft has already published an explicit DCT-to-Notary migration path for Azure Container Registry. Microsoft states ACR deprecation started on 2025-03-31, blocks new DCT enablement on 2026-05-31 for registries that do not already use it, and removes DCT entirely on 2028-03-31. The Notary Project positions itself as an OCI-standard, enterprise-grade signing and verification stack, and its site currently exposes v1.3 docs while also advertising a v2.0.0-alpha.1 release. Official docs linked here do not present a standalone tool license price; check official docs for registry, certificate, and cloud key-management costs.
When to choose
Use this when your organization wants OCI-native signatures plus explicit trust-policy and PKI-oriented workflows, especially in Azure-heavy environments. It is the safer choice when registry portability, enterprise certificate handling, and documented cloud-vendor migration guidance matter more than keyless developer ergonomics.
Tradeoffs
The main advantage is standards-oriented signing with clearer enterprise-policy framing and documented Azure integrations. The tradeoff is a more opinionated setup around certificates, keys, and trust stores than the simplest Cosign keyless path.
Cautions
Do not read Docker's generic retirement notice as meaning every registry has the same deadline; Docker has not published the final complete DCT deprecation timeline yet, while Azure ACR has. If you are on ACR, DCT is already in deprecation, new enablement closes on 2026-05-31, and imported DCT signatures are not preserved the same way because Notary v2 stores signatures as OCI artifacts.
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "Docker Content Trust Retirement Migration — when and how should I migrate?"