Azure enabling content trust will impact exisitng images in registry?

Question

We are planning to enable content trust in Azure Content Registry so that we can push the signed images to repo for the consumers to use. But I have few doubts?

1. Once I enable content trust, can the users still able to pull the existing images?
2. Once I enable content trust, can I push both signed and unsigned images to the registry?

Can anyone advise on this?

Thanks

Answer 1

If you enable Content Trust in Azure Container Registry, the repository could have both signed and unsigned image.

From the docs:

Content trust works with the tags in a repository. Image repositories can contain images with both signed and unsigned tags. For example, you might sign only the myimage:stable and myimage:latest images, but not myimage:dev.

One important point is that only user with the AcrImageSigner role can push signed image to the registry.

Only the users or systems you've granted permission can push trusted images to your registry. To grant trusted image push permission to a user (or a system using a service principal), grant their Azure Active Directory identities the AcrImageSigner role. This is in addition to the AcrPush (or equivalent) role required for pushing images to the registry.

And for the ability to pull untrusted image, if the client activate the content trust on Docker, he could only pull trusted image. But, if he still want an untrusted image, we could add --disable-content-trust to the pull command.