Delete legacy Docker Content Trust
In Mirantis Secure Registry (MSR), Docker Content Trust (DCT) and its underlying Notary server and signer infrastructure are deprecated. If you upgraded from MSR 2.9 with active signatures, the legacy Notary stack is preserved for backward compatibility.
After you migrate your image-signing pipelines to Cosign, administrators can permanently remove the legacy Notary stack, including all legacy trust data, signing databases, and system containers, from the MSR web UI or using the MSR administrative API.
Warning
Disabling Notary is a permanent, destructive action that tears down the Notary subsystem and deletes all existing DCT signatures and trust repositories. The Notary stack cannot be re-enabled after removal. Verify that all required images have been re-signed with Cosign before proceeding.
Delete Notary with the MSR web UI
Log in to the MSR web interface as a system administrator.
In the left navigation menu, go to Admin Settings and locate the Signatures Management section.
Verify that the current status displays as Enabled, then click Disable Notary.
When the confirmation prompt appears, type
deleteinto the text field and click Confirm to proceed. If you type the confirmation word incorrectly, the prompt reappears. Click Cancel to stop the operation without making any changes.Wait for the process to complete. The button displays Disabling Notary… while the system is in a decommissioning state.
After the Notary infrastructure has been removed from your cluster, the button displays Notary Disabled and a success notification confirms the removal.
Delete Notary with the MSR administrative API
The MSR administrative API provides two endpoints for checking Notary status and triggering its removal.
Check current Notary status
Before you disable Notary, verify the current system state:
GET /api/v0/admin/notary/status
A 200 OK response indicates that Notary is active. The response
includes a count of repositories that contain legacy trust metadata:
{
"state": "enabled",
"reposWithTrustData": 14
}
Disable the Notary infrastructure
To initiate the asynchronous teardown job, send an authorized request to the disable endpoint:
POST /api/v0/admin/notary/disable
The endpoint returns the following HTTP response codes:
202 Accepted— The decommission job has started or is already running. The response body returns a job ID to track progress:{ "state": "decommissioning", "jobId": "job-abc-123-xyz" }
200 OK— The legacy stack has already been fully removed. This endpoint is idempotent; repeated calls after completion return a success no-op:{ "state": "disabled" }
400 Bad Request— The request failed preconditions; for example, if signature data exists but required validation parameters are missing.403 Forbidden— The authenticated user does not have system administrator privileges.
While the endpoint returns 202 Accepted, poll
GET /api/v0/admin/notary/status every few seconds until the
state transitions to disabled.
For more details, see the API Reference.