Skip to content
Latchkey

Docker "untrusted signature" (content trust enabled) in CI

With DOCKER_CONTENT_TRUST=1, Docker requires every pulled image to carry valid Notary signatures. An unsigned image, a tag with no trust data, or a missing trust server makes the pull fail rather than fall back to an unverified image.

What this error means

A pull fails with No valid trust data for <tag> or remote trust data does not exist when content trust is enabled.

docker
Error: remote trust data does not exist for docker.io/myorg/app: notary.docker.io does not have trust data for docker.io/myorg/app:ci

Common causes

The image tag is unsigned

With content trust on, an image that was never signed has no trust data to verify.

No trust/Notary server reachable

A private registry without a configured trust server cannot provide signatures.

Content trust enabled unintentionally in CI

An inherited DOCKER_CONTENT_TRUST=1 env var enforces signing where it was not intended.

How to fix it

Sign the image (or pull a signed tag)

  1. Sign and push with content trust on so the tag carries trust data.
Terminal
export DOCKER_CONTENT_TRUST=1
docker trust sign myorg/app:ci

Disable content trust where it is not required

  1. If signing is not part of this pipeline, unset the trust env var for the pull.
Terminal
DOCKER_CONTENT_TRUST=0 docker pull myorg/app:ci

How to prevent it

  • Set DOCKER_CONTENT_TRUST intentionally; do not let it leak into CI by accident.
  • When enforcing trust, sign images in the build job so consumers can verify them.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →