Skip to content

[DO NOT MERGE][ACR] az acr config content-trust: Begin deprecation of Docker Content Trust feature #32112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lizMSFT wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

[DO NOT MERGE][ACR] az acr config content-trust: Begin deprecation of Docker Content Trust feature #32112

lizMSFT wants to merge 1 commit into from

Conversation

@lizMSFT
Copy link
Member

@lizMSFT lizMSFT commented Sep 13, 2025
edited
Loading

[DO NOT MERGE] I'm currently working on the breaking changes announcement and will merge the PR once it's ready.

Related command
az acr check-health
az acr config content-trust
az acr config content-trust show
az acr config content-trust update

Description
Azure Container Registry will retire Docker Content Trust on March 31, 2028. For more details, refer to https://aka.ms/acr/dctdeprecation.

To prepare for this deprecation, the following changes have been made in this PR:

  • Removed Notary client check from az acr check-health, as the feature is being deprecated.
  • Added deprecation labels and notices to the following Azure CLI commands:
    • az acr config content-trust
    • az acr config content-trust show
    • az acr config content-trust update
  • Updated az acr config content-trust update to no longer accept the enabled status value.
  • When users run az acr config content-trust update -r myregistry --status disabled, the CLI will:
    • Display a warning message
    • Require confirmation before proceeding

Testing Guide

> az acr check-health -n zoeycr0707 -y
Docker daemon status: available
Docker version: 'Docker version 28.3.3, build bea959c, platform linux/amd64'
Docker pull of 'mcr.microsoft.com/mcr/hello-world:latest' : OK
Azure CLI version: 2.77.0
DNS lookup to zoeycr0707.azurecr.io at IP 20.62.128.12 : OK
Challenge endpoint https://zoeycr0707.azurecr.io/v2/ : OK
Fetch refresh token for registry 'zoeycr0707.azurecr.io' : OK
Fetch access token for registry 'zoeycr0707.azurecr.io' : OK
Helm version: 3.17.0
image image

History Notes
[ACR] BREAKING CHANGE: az acr config content-trust update no longer accepts the enabled status.
[ACR] BREAKING CHANGE: az acr check-health: Removed Notary client check due to Docker Content Trust deprecation.
[ACR] az acr config content-trust, show, update: Added deprecation labels and notices.

This checklist is used to make sure that common guidelines for a pull request are followed.

@lizMSFT lizMSFT requested a review from zhoxing-ms as a code owner September 13, 2025 02:49
Copilot AI review requested due to automatic review settings September 13, 2025 02:49
@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Sep 13, 2025
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.13
️✔️acs
️✔️latest
️✔️3.12
️✔️3.13
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.13
️✔️ams
️✔️latest
️✔️3.12
️✔️3.13
️✔️apim
️✔️latest
️✔️3.12
️✔️3.13
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.13
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️aro
️✔️latest
️✔️3.12
️✔️3.13
️✔️backup
️✔️latest
️✔️3.12
️✔️3.13
️✔️batch
️✔️latest
️✔️3.12
️✔️3.13
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.13
️✔️billing
️✔️latest
️✔️3.12
️✔️3.13
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.13
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.13
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.13
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.13
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.13
️✔️config
️✔️latest
️✔️3.12
️✔️3.13
️✔️configure
️✔️latest
️✔️3.12
️✔️3.13
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.13
️✔️container
️✔️latest
️✔️3.12
️✔️3.13
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.13
️✔️core
️✔️latest
️✔️3.12
️✔️3.13
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.13
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.13
️✔️dls
️✔️latest
️✔️3.12
️✔️3.13
️✔️dms
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.13
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.13
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.13
️✔️find
️✔️latest
️✔️3.12
️✔️3.13
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.13
️✔️identity
️✔️latest
️✔️3.12
️✔️3.13
️✔️iot
️✔️latest
️✔️3.12
️✔️3.13
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.13
️✔️lab
️✔️latest
️✔️3.12
️✔️3.13
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.13
️✔️maps
️✔️latest
️✔️3.12
️✔️3.13
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.13
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.13
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.13
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.13
️✔️network
️✔️latest
️✔️3.12
️✔️3.13
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.13
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.13
️✔️profile
️✔️latest
️✔️3.12
️✔️3.13
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.13
️✔️redis
️✔️latest
️✔️3.12
️✔️3.13
️✔️relay
️✔️latest
️✔️3.12
️✔️3.13
️✔️resource
️✔️latest
️✔️3.12
️✔️3.13
️✔️role
️✔️latest
️✔️3.12
️✔️3.13
️✔️search
️✔️latest
️✔️3.12
️✔️3.13
️✔️security
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.13
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.13
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.13
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.13
️✔️sql
️✔️latest
️✔️3.12
️✔️3.13
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.13
️✔️storage
️✔️latest
️✔️3.12
️✔️3.13
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.13
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.13
️✔️util
️✔️latest
️✔️3.12
️✔️3.13
️✔️vm
️✔️latest
️✔️3.12
️✔️3.13

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Sep 13, 2025
edited
Loading

❌AzureCLI-BreakingChangeTest
⚠️acr
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd acr config content-trust update cmd acr config content-trust update added parameter yes
⚠️ 1010 - ParaPropUpdate acr config content-trust update cmd acr config content-trust update update parameter status: updated property choices from ['disabled', 'enabled'] to ['disabled']
❌acs
rule cmd_name rule_message suggest_message
1007 - ParaRemove aks nodepool add cmd aks nodepool add removed parameter localdns_config please add back parameter localdns_config for cmd aks nodepool add
1010 - ParaPropUpdate aks nodepool add cmd aks nodepool add update parameter spot_max_price: updated property default from nan to nan please change property default from nan to nan for parameter spot_max_price of cmd aks nodepool add
1007 - ParaRemove aks nodepool update cmd aks nodepool update removed parameter localdns_config please add back parameter localdns_config for cmd aks nodepool update

Please submit your Breaking Change Pre-announcement ASAP if you haven't already. Please note:

  • Breaking changes can only be merged during the designated breaking change window
  • A pre-announcement must be released at least one month in advance

For more details on how to introduce breaking changes, refer to the documentation: azure-cli/doc/how_to_introduce_breaking_changes.md

@yonzhan
Copy link
Collaborator

yonzhan commented Sep 13, 2025

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Sep 13, 2025

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

Copilot AI reviewed Sep 13, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR begins the deprecation process for Docker Content Trust in Azure Container Registry as announced for retirement by March 31, 2028. The changes remove the Notary client check from health commands and add deprecation warnings to content-trust related CLI commands, while updating the enabled status handling for the update command.

  • Removed Notary client health check since the feature is being deprecated
  • Added deprecation notices and warnings to content-trust commands
  • Updated content-trust update command to no longer accept enabled status and require confirmation for disabled status

Reviewed Changes

Copilot reviewed 15 out of 29 changed files in this pull request and generated no comments.

Show a summary per file
File Description
test_acr_commands.py Updated test to use --status disabled -y instead of --status enabled for content-trust update command
test_check_name_availability_dnl_scope.yaml Updated test recording with newer CLI version and timestamps
test_check_name_availability.yaml Updated test recording with newer CLI version and timestamps
test_acr_with_public_network_access_disabled.yaml Updated test recording with newer CLI version and timestamps
test_acr_with_public_network_access.yaml Updated test recording with newer CLI version and timestamps
test_acr_import_no_wait.yaml Updated test recording with newer CLI version and timestamps

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@lizMSFT lizMSFT requested review from shizhMSFT and yizha1 September 13, 2025 02:50
shizhMSFT
shizhMSFT approved these changes Sep 18, 2025
View reviewed changes
Copy link
Member

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yanzhudd
Copy link
Contributor

yanzhudd commented Sep 29, 2025

If this PR includes any breaking chanes, we need to wait until breaking change window to release it.
For your information, please refer to this document: https://eng.ms/docs/cloud-ai-platform/azure-core/azure-experiences-and-ecosystems/azure-portal-and-client-tools-ruhim/azure-cli-tools-azure-cli-powershell-and-terraform/azure-cli-tools/teams_docs/azcli_docs/breaking_changes

@lizMSFT lizMSFT mentioned this pull request Sep 30, 2025
Merged
3 tasks
@lizMSFT lizMSFT changed the title [ACR] az acr config content-trust: Begin deprecation of Docker Content Trust feature [DO NOT MERGE][ACR] az acr config content-trust: Begin deprecation of Docker Content Trust feature Oct 7, 2025
@northtyphoon northtyphoon mentioned this pull request Oct 19, 2025
Closed
@yanzhudd
Copy link
Contributor

yanzhudd commented Nov 10, 2025

please let us know if this PR is ready to review/merge

@yanzhudd
Copy link
Contributor

yanzhudd commented Nov 10, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 10, 2025

Azure Pipelines successfully started running 3 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@yanzhudd yanzhudd Awaiting requested review from yanzhudd yanzhudd is a code owner

@northtyphoon northtyphoon Awaiting requested review from northtyphoon

@terencet-dev terencet-dev Awaiting requested review from terencet-dev

@yizha1 yizha1 Awaiting requested review from yizha1

+1 more reviewer

@shizhMSFT shizhMSFT shizhMSFT approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@zhoxing-ms zhoxing-ms

Labels

None yet

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

5 participants

@lizMSFT @yonzhan @yanzhudd @shizhMSFT @zhoxing-ms