[ACR] az acr config content-trust: Begin deprecation of Docker Content Trust feature

[lizMSFT]

Related command
az acr check-health
az acr config content-trust
az acr config content-trust show
az acr config content-trust update

Description
This is the follow-up PR to #32462

Azure Container Registry will retire Docker Content Trust on March 31, 2028. For more details, refer to https://aka.ms/acr/dctdeprecation.

To prepare for this deprecation, the following changes have been made in this PR:

• Removed Notary client check from az acr check-health, as the feature is being deprecated.
• Added deprecation labels and notices to the following Azure CLI commands:
  • az acr config content-trust
  • az acr config content-trust show
  • az acr config content-trust update
• Updated az acr config content-trust update to no longer accept the enabled status value.
• When users run az acr config content-trust update -r myregistry --status disabled, the CLI will:
  • Display a warning message
  • Require confirmation before proceeding

Testing Guide

> az acr check-health -n zoeycr0707 -y
Docker daemon status: available
Docker version: 'Docker version 28.3.3, build bea959c, platform linux/amd64'
Docker pull of 'mcr.microsoft.com/mcr/hello-world:latest' : OK
Azure CLI version: 2.77.0
DNS lookup to zoeycr0707.azurecr.io at IP 20.62.128.12 : OK
Challenge endpoint https://zoeycr0707.azurecr.io/v2/ : OK
Fetch refresh token for registry 'zoeycr0707.azurecr.io' : OK
Fetch access token for registry 'zoeycr0707.azurecr.io' : OK
Helm version: 3.17.0

History Notes
[ACR] BREAKING CHANGE: az acr config content-trust update no longer accepts the enabled status.
[ACR] BREAKING CHANGE: az acr check-health: Removed Notary client check due to Docker Content Trust deprecation.
[ACR] az acr config content-trust, show, update: Added deprecation labels and notices.

---

This checklist is used to make sure that common guidelines for a pull request are followed.

• The PR title and description has followed the guideline in Submitting Pull Requests.

• I adhere to the Command Guidelines.

• I adhere to the Error Handling Guidelines.

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[yonzhan]

Thank you for your contribution! We will review the pull request and get back to you soon.

[github-actions]

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

[Copilot]

Pull request overview

This PR prepares the ACR Azure CLI module for Docker Content Trust (DCT) retirement by removing Notary client health checks and beginning deprecation of az acr config content-trust commands, including restricting content-trust update to only allow disabling.

Changes:

• Remove Notary client/version validation from az acr check-health and delete related Notary helper/error definitions.
• Deprecate az acr config content-trust command group and adjust content-trust update to reject --status enabled and require confirmation when disabling.
• Update tests/recordings to reflect the new content-trust behavior.

Reviewed changes

Copilot reviewed 9 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/azure-cli/azure/cli/command_modules/acr/check_health.py	Removes Notary version check from health diagnostics.
src/azure-cli/azure/cli/command_modules/acr/notary.py	Deletes the Notary CLI detection helper.
src/azure-cli/azure/cli/command_modules/acr/_errors.py	Removes Notary-related error definitions.
src/azure-cli/azure/cli/command_modules/acr/commands.py	Adds deprecation info to acr config content-trust command group.
src/azure-cli/azure/cli/command_modules/acr/_breaking_change.py	Removes logic breaking-change announcements now that the behavior has changed.
src/azure-cli/azure/cli/command_modules/acr/_params.py	Restricts acr config content-trust update --status to only allow disabled.
src/azure-cli/azure/cli/command_modules/acr/policy.py	Adds confirmation prompt (and yes support) when disabling content trust.
src/azure-cli/azure/cli/command_modules/acr/_help.py	Marks content-trust help sections as to-be-deprecated.
src/azure-cli/azure/cli/command_modules/acr/tests/latest/test_acr_commands.py	Updates scenario test to assert enabled is rejected and disabled works with --yes.
src/azure-cli/azure/cli/command_modules/acr/tests/latest/recordings/test_acr_create_with_managed_registry.yaml	Updates VCR recording for the modified command behavior (but needs fixes).

Comments suppressed due to low confidence (1)

src/azure-cli/azure/cli/command_modules/acr/_help.py:123

• The help example still uses --status Enabled, but acr config content-trust update no longer accepts enabled (only disabled). Please update the example (and any related wording) so users don’t copy/paste an invalid value.

short-summary: Update content-trust policy for an Azure Container Registry.
examples:
  - name: Update content-trust policy for an Azure Container Registry
    text: >
        az acr config content-trust update -r myregistry --status Enabled

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.