Delete legacy Docker Content Trust

In Mirantis Secure Registry (MSR), Docker Content Trust (DCT) and its underlying Notary server and signer infrastructure are deprecated. If you upgraded from MSR 2.9 with active signatures, the legacy Notary stack is preserved for backward compatibility.

After you migrate your image-signing pipelines to Cosign, administrators can permanently remove the legacy Notary stack, including all legacy trust data, signing databases, and system containers, from the MSR web UI or using the MSR administrative API.

Warning

Disabling Notary is a permanent, destructive action that tears down the Notary subsystem and deletes all existing DCT signatures and trust repositories. The Notary stack cannot be re-enabled after removal. Verify that all required images have been re-signed with Cosign before proceeding.

Delete Notary with the MSR web UI

  1. Log in to the MSR web interface as a system administrator.

  2. In the left navigation menu, go to Admin Settings and locate the Signatures Management section.

  3. Verify that the current status displays as Enabled, then click Disable Notary.

  4. When the confirmation prompt appears, type delete into the text field and click Confirm to proceed. If you type the confirmation word incorrectly, the prompt reappears. Click Cancel to stop the operation without making any changes.

  5. Wait for the process to complete. The button displays Disabling Notary… while the system is in a decommissioning state.

After the Notary infrastructure has been removed from your cluster, the button displays Notary Disabled and a success notification confirms the removal.

Delete Notary with the MSR administrative API

The MSR administrative API provides two endpoints for checking Notary status and triggering its removal.

Check current Notary status

Before you disable Notary, verify the current system state:

GET /api/v0/admin/notary/status

A 200 OK response indicates that Notary is active. The response includes a count of repositories that contain legacy trust metadata:

{
  "state": "enabled",
  "reposWithTrustData": 14
}

Disable the Notary infrastructure

To initiate the asynchronous teardown job, send an authorized request to the disable endpoint:

POST /api/v0/admin/notary/disable

The endpoint returns the following HTTP response codes:

  • 202 Accepted — The decommission job has started or is already running. The response body returns a job ID to track progress:

    {
      "state": "decommissioning",
      "jobId": "job-abc-123-xyz"
    }
    
  • 200 OK — The legacy stack has already been fully removed. This endpoint is idempotent; repeated calls after completion return a success no-op:

    {
      "state": "disabled"
    }
    
  • 400 Bad Request — The request failed preconditions; for example, if signature data exists but required validation parameters are missing.

  • 403 Forbidden — The authenticated user does not have system administrator privileges.

While the endpoint returns 202 Accepted, poll GET /api/v0/admin/notary/status every few seconds until the state transitions to disabled.

For more details, see the API Reference.