Skip to content

Commit a0142e9

Browse files
usha-mandyausha-mandya
authored
Merge pull request #23401 from usha-mandya/engdocs-2993
Add a note on DCT retirement
2 parents 2ddbdf9 + 13638dc commit a0142e9

1 file changed

Lines changed: 22 additions & 2 deletions

File tree

  • content/manuals/engine/security/trust

content/manuals/engine/security/trust/_index.md

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,16 @@ ensure that the images they pull are signed. Publishers could be individuals
3535
or organizations manually signing their content or automated software supply
3636
chains signing content as part of their release process.
3737

38+
> [!NOTE]
39+
>
40+
> Docker is retiring DCT for Docker Official Images
41+
> (DOI). You should start planning to transition to a different image signing
42+
> and verification solution (like [Sigstore](https://www.sigstore.dev/) or
43+
> [Notation](https://github.com/notaryproject/notation#readme)). Timelines for the
44+
> complete deprecation of DCT are being finalized and will be published soon.
45+
>
46+
> For more information, see [Retiring Docker Content Trust](https://www.docker.com/blog/retiring-docker-content-trust/).
47+
3848
### Image tags and DCT
3949

4050
An individual image record has the following identifier:
@@ -111,10 +121,20 @@ Within the Docker CLI we can sign and push a container image with the
111121
`$ docker trust` command syntax. This is built on top of the Notary feature
112122
set. For more information, see the [Notary GitHub repository](https://github.com/theupdateframework/notary).
113123

114-
A prerequisite for signing an image is a Docker Registry with a Notary server
115-
attached (Such as the Docker Hub ). Instructions for
124+
A prerequisite for signing an image is a Docker Registry with a Notary server (such as Docker Hub) attached. Instructions for
116125
standing up a self-hosted environment can be found [here](/engine/security/trust/deploying_notary/).
117126

127+
> [!NOTE]
128+
>
129+
> Docker is retiring DCT for Docker Official Images
130+
> (DOI). You should start planning to transition to a different image signing
131+
> and verification solution (like [Sigstore](https://www.sigstore.dev/) or
132+
> [Notation](https://github.com/notaryproject/notation#readme)). Timelines for the
133+
> complete deprecation of DCT are being finalized and will be published soon.
134+
>
135+
> For more information, see [Retiring Docker Content Trust](https://www.docker.com/blog/retiring-docker-content-trust/).
136+
137+
118138
To sign a Docker Image you will need a delegation key pair. These keys
119139
can be generated locally using `$ docker trust key generate` or generated
120140
by a certificate authority.

0 commit comments

Comments
 (0)