Docker Content Trust (DCT) Retirement: With usage declining and other offerings surpassing it, Docker announced the retirement of DCT. It recommended organizations move to alternatives like Sigstore or Notation.

• How DCT Worked: Allowed image publishers to digitally sign container images with private keys verified through public keys in registries via a Docker Notary server. Checked digital signatures during pulls to ensure trust and prevent unsigned images. Introduced in 2015 using The Update Framework (TUF) and donated as "Notary" to the Cloud Native Computing Foundation.
• Usage Decline: Fewer than 0.05% of Docker Hub image pulls used DCT, and Microsoft announced deprecation in Azure Container Registry.
• Retirement Details: Began on 8 August 2025 with expiration of oldest DCT signing certificates. Users with DOCKER_CONTENT_TRUST enabled faced pull failures and the docker trust inspect command stopped working.

Alternatives to DCT:

• Sigstore: Offers keyless signing through OIDC identities and transparency logs. Has a decentralised and federated trust delegation model with strong community support, suitable for secure and transparent software updates.
• Notary Project: Provides specifications and tools for securing software supply chains. Notary V2 (Notation) offers a specification-driven approach with support for multiple signatures and integration into existing PKI. Enables validation through multiple signatures but requires more complex setup involving TLS certificates and TUF key management.
• Microsoft's Azure Container Registry: Promotes migration to the Notary Project ecosystem, specifically Notation tool. Brings advantages like OCI standards compliance, Azure Key Vault integration, and CI/CD pipeline integration.