Docker is retiring Content Trust – Here’s what that means for you

Sigstore vs Notation? What you need to know before choosing.

When working with containers, one of the big security concerns is making sure the images you’re using are legit. You want to ensure they’re not tampered with and coming from the right source. That’s where Docker’s “Content Trust” feature came in. It lets users verify the authenticity of images so you could confidently deploy them to your Kubernetes clusters.

A quick look at Docker Content Trust (DCT)

DCT is essentially a verification system built into the Docker client. When pulling or deploying images from a registry, it checks that they’ve been digitally signed using a Docker Notary server. Publishers sign their images, and users get peace of mind knowing what they’re pulling is genuine. It’s all built on top of The Update Framework (TUF), which helps manage freshness and integrity. If you’ve got DCT enabled correctly, Docker won’t let you deploy images that haven’t been signed.

So what exactly is changing

Here’s the thing: The Notary project (which DCT relies on) isn’t actively maintained anymore. The community has mostly moved on to newer tools for image signing. Docker has acknowledged this and plans to roll out a modern, more widely adopted image signing system for Docker Official Images (DOI). The Docker team expects to provide updates soon on their blog.

Starting August 8th, 2025, the oldest DCT signing certificates for DOI will start expiring. If you’ve used docker trust commands recently, you might have already seen some warnings. Once a certificate is cached by Docker, it doesn’t get updated, which makes rotating them kind of a pain.

Read more: Detecting vulnerabilities in public Helm charts

Moving to Sigstore or Notation

According to Docker’s official statement, if you publish images on Docker Hub using DCT, you should start planning to transition to a different image signing and verification solution (like Sigstore or Notation). Docker will be publishing migration guides soon to help you in that effort. Timelines for the complete deprecation of DCT have not yet been finalised. Cloudsmith has published a short blog post related to this migration process.

Sigstore vs. Notation: What’s the Difference?

Ultimately, users will make the choice of Sigstore or Notion as the replacement image signing and verification solution until such a time as Docker has implemented a new image signing solution for DOI. Many users are asking: “Which one should I use – Sigstore or Notation?” It’s a valid question, especially since both are open source and designed for image signing and verification. The differences mainly come down to:

1. Signature formats
2. How signatures are discovered
3. How keys are managed

The simplest way I can compare these two solutions is that Sigstore, through Cosign, offers a developer-friendly, keyless signing experience using OIDC identities and transparency logs. Notary V2 (Notation), on the other hand, is capable of providing a more comprehensive, specification-driven approach with support for multiple signatures and integration with existing PKI. The links below should help you make an informed decision.

Further reading

• Sigstore FAQ: The Sigstore team put together a clear breakdown of how their approach compares to Notary v2.
• Getting started with Notary V2: This blog might be a bit dated, but it’s still a solid intro to the Notary v2 project. Anaïs Urlichs also provided a quickstart for using Notation.
• Quickstart with Sigstore/Cosign: If you’d prefer to test out Sigstore, this guide walks you through the process of signing and verifying your first container.

More from We Love Open Source

• 15 overlooked rules of AI
• Detecting vulnerabilities in public Helm charts
• Why Kubernetes is essential for AI and open source projects in 2025
• Beyond CVSS: A more practical approach to vulnerability prioritization
• How curiosity, Kubernetes, and community shaped my open source journey