trust: print deprecation warning when using hub Notary server

Docker Hub's Notary service is being retired, and now produces failures in most cases. Add a warning when attempting to use it, pending full removal of trust; https://www.docker.com/blog/retiring-docker-content-trust/ With this PR: DOCKER_CONTENT_TRUST=1 docker pull -q hello-world WARNING: Docker is retiring DCT for Docker Official Images (DOI). For details, refer to https://docs.docker.com/go/dct-deprecation/ could not validate the path to a trusted root: unable to retrieve valid leaf certificates Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-01-26 15:41:42 +03:00 · 2025-09-26 10:50:42 +02:00
parent 6855d70c52
commit 43b03ef2c5
1 changed files with 8 additions and 0 deletions
--- a/cli/trust/trust.go
+++ b/cli/trust/trust.go
@@ -108,6 +108,11 @@ func (scs simpleCredentialStore) RefreshToken(*url.URL, string) string {

 func (simpleCredentialStore) SetRefreshToken(*url.URL, string, string) {}

+const dctDeprecation = `WARNING: Docker is retiring DCT for Docker Official Images (DOI).
+         For details, refer to https://docs.docker.com/go/dct-deprecation/
+
+`
+
 // GetNotaryRepository returns a NotaryRepository which stores all the
 // information needed to operate on a notary repository.
 // It creates an HTTP transport providing authentication support.
@@ -116,6 +121,9 @@ func GetNotaryRepository(in io.Reader, out io.Writer, userAgent string, repoInfo
 	if err != nil {
 		return nil, err
 	}
+	if server == NotaryServer {
+		_, _ = fmt.Fprint(os.Stderr, dctDeprecation)
+	}

 	cfg := tlsconfig.ClientDefault()
 	cfg.InsecureSkipVerify = !repoInfo.Index.Secure