Deprecation of Content Trust in ACR

[yizha1]

Transition from Docker Content Trust to the Notary Project and Azure Key Vault

Container image signing and verification are essential for securing the container supply chain. Signing creates digital signatures as cryptographic proof of origin during development and building processes. Verification ensures that the container image remains unaltered from build, through publishing, to deployment. This approach helps prevent vulnerabilities and malware from accessing systems, reduces potential attack surfaces, maintains regulatory compliance, and ensures the integrity of the container ecosystem.

Azure Container Registry (ACR) implements Docker Content Trust (DCT), allowing image publishers to sign their images and image consumers to verify that the images they pull are signed. With advancements in technology, Docker Content Trust no longer meets the requirements of modern supply chain security for containers. As a result, Docker Content Trust will be deprecated and no longer available in ACR after March 31, 2028. If you currently use Docker Content Trust, you should transition to the Notary Project ecosystem, including their open-source supply chain tool, Notation.

The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. Notation, a tool from the Notary Project, implements Notary Project specifications and includes CLI and libraries for signing and verifying container images and artifacts. Microsoft currently offers signing and verification solutions based on the Notary Project. When you transition to the Notary Project solutions, you'll also get these benefits:

• Portability and Interoperability: Notary Project signatures adhere to Open Container Initiative (OCI) standards and can be stored in OCI-compliant registries, such as ACR, facilitating signature portability and interoperability across different cloud environments.
• Secure Key Management: Manage your signing keys and certificates securely with Azure Key Vault (AKV). More Key Management System (KMS) options are coming soon.
• CI/CD Pipeline Integration: Implement signing in your CI/CD pipelines, including Azure DevOps (ADO) and GitHub workflows. More CI/CD integration options are coming soon.
• Comprehensive Verification: Verify container images within your CI/CD pipelines, such as ADO and GitHub workflows, and on Azure Kubernetes Service (AKS) to prevent the use and deployment of untrusted images.

How does this affect me?

• Starting September 30, 2025, customers will no longer be able to enable Docker Content Trust on Azure Container Registry.
• Data stored in Azure Container Registry for signing and verifying signatures with Docker Content Trust will be permanently deleted on March 31, 2028.
• Docker Content Trust function will be completely removed from Azure Container Registry on March 31, 2028.

Required Action

Start your transition to Notary Project today and enhance the security and trust of your container ecosystem. Use the following articles to get started.

Signing:

• Use AKV with self-signed certificates: Sign container images with Notation and Azure Key Vault using a self-signed certificate - Azure Container Registry | Microsoft Learn
• Use AKV with CA-issued certificates: Sign Container Images with Notation and a CA-issued certificate Azure Key Vault - Azure Container Registry | Microsoft Learn
• Sign in ADO pipelines: Sign and verify a container image with Notation in Azure Pipeline | Microsoft Learn
• Sign in GitHub workflows: Sign a container image with Notation using a GitHub Actions Workflow | Microsoft Learn

Verification:

• Verify in ADO pipelines: Sign and verify a container image with Notation in Azure Pipeline | Microsoft Learn
• Verify in GitHub workflows: Verify a container image with Notation using a GitHub Actions Workflow | Microsoft Learn
• Verify on AKS: Securing AKS workloads: Validating container image signatures with Ratify and Azure Policy | Microsoft Learn