Disable DCT on each registry using the Azure CLI (az acr config content-trust update -r <registry> --status disabled), the Azure portal (Policies > Content Trust > Disabled), or by unsetting the DOCKER_CONTENT_TRUST environment variable.
Install the Notation CLI and a key management plugin (e.g. notation-azure-kv for Azure Key Vault integration).
Generate or import a signing certificate in Azure Key Vault, then sign built images with 'notation sign' referencing the Key Vault key identifier.
Configure verification policies using 'notation policy import' and validate signed images with 'notation verify' in CI/CD pipelines (Azure DevOps or GitHub Actions) and on AKS via Ratify.
After all registries and pipelines are migrated, monitor that no DCT-related push or pull flags remain in build scripts.
Known gotchas
After May 31, 2026, Docker Content Trust cannot be enabled on registries that did not previously have it; full removal of DCT from all Azure Container Registry instances occurs on March 31, 2028.
Notary Project signatures are stored as OCI referrers attached to the image manifest, not as Docker trust metadata; clients that only understand DCT will not see these signatures.
DCT deprecation started March 31, 2025 — registries with DCT already enabled can still use it until the March 31, 2028 removal date, but migration should not be deferred.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp