What is Docker content trust?

Docker Content Trust (DCT) is a security feature that uses digital signatures to verify the integrity and publisher of Docker images. It is built on Notary, a framework for content signing and verification. When DCT is enabled, Docker only pulls and runs images that have been signed by a trusted publisher. Enable: export DOCKER_CONTENT_TRUST=1. With DCT enabled: docker pull verifies the image signature; unsigned images are rejected; docker push automatically signs the image with your private key. Signing workflow: (1) Generate keys: DCT automatically creates root and repository keys on first push; (2) Push with signing: DOCKER_CONTENT_TRUST=1 docker push registry/image:tag; (3) Pull verifies signature against the trust data stored in a Notary server. Trust data is stored alongside the image in the registry. Keys: root key (offline, most important), repository key (for each repository), and timestamp key (freshness). Limitations: Notary V1 (original DCT) has usability issues and is being superseded by Sigstore/cosign — a keyless signing tool that uses OIDC identity (GitHub Actions, Google Workload Identity) for signing, making it much easier to integrate into CI/CD without managing private keys. cosign sign myimage:1.0 and cosign verify myimage:1.0.