Docker "untrusted signature" (content trust enabled) in CI
With DOCKER_CONTENT_TRUST=1, Docker requires every pulled image to carry valid Notary signatures. An unsigned image, a tag with no trust data, or a missing trust server makes the pull fail rather than fall back to an unverified image.
What this error means
A pull fails with No valid trust data for <tag> or remote trust data does not exist when content trust is enabled.
docker
Error: remote trust data does not exist for docker.io/myorg/app: notary.docker.io does not have trust data for docker.io/myorg/app:ciCommon causes
The image tag is unsigned
With content trust on, an image that was never signed has no trust data to verify.
No trust/Notary server reachable
A private registry without a configured trust server cannot provide signatures.
Content trust enabled unintentionally in CI
An inherited DOCKER_CONTENT_TRUST=1 env var enforces signing where it was not intended.
How to fix it
Sign the image (or pull a signed tag)
- Sign and push with content trust on so the tag carries trust data.
Terminal
export DOCKER_CONTENT_TRUST=1
docker trust sign myorg/app:ciDisable content trust where it is not required
- If signing is not part of this pipeline, unset the trust env var for the pull.
Terminal
DOCKER_CONTENT_TRUST=0 docker pull myorg/app:ciHow to prevent it
- Set
DOCKER_CONTENT_TRUSTintentionally; do not let it leak into CI by accident. - When enforcing trust, sign images in the build job so consumers can verify them.
Related guides
Docker "digest mismatch on pull" in CIFix Docker "filesystem layer verification failed for digest" / digest mismatch on pull in CI - a downloaded l…
Docker "manifest unknown" in CIFix the Docker "manifest unknown" / "manifest for ... not found" pull error in CI, caused by a tag or digest…
Docker "x509: certificate signed by unknown authority" - Fix Registry TLSFix Docker "x509: certificate signed by unknown authority" pushing or pulling in CI - a self-signed or privat…