Upgrades need config change due to Docker Content Trust deprecation

[Starkteetje]

Deprecation Update: Docker Content Trust retirement leads to upgrade issues with old default policy

Docker has started retiring Docker Content Trust. With official images no longer having valid signatures, updating Connaisseur with caching enabled will fail with the previous default config. To update a Connaisseur installation that uses caching, you will need to allow the redis image in some way.
With Connaisseur v3.8.5, we are removing default config for signature verification for Docker Official Images (DOI). This change is driven by Docker’s retirement of Docker Content Trust (Notary v1) and the expiration of the oldest DOI signing certificates on 2025‑08‑08. Continuing to ship a default policy would simply lead to verification attempts failing as certificates expire and Notary v1 data becomes unavailable or invalid.

What’s Changing in 3.8.5

• Removed the default trust / policy configuration that previously attempted DCT (Notary v1) verification for docker.io/library/* images.
• Added an explicit allowlist entry for the current redis:7 image so Connaisseur’s internal/optional deployment continues to function out of the box.

What you need to do

• If you want to verify Docker Official Images, you will need to cross-sign them with a supported signing solution
• If you have caching disabled, you don't need to do anything to upgrade Connaisseur
• If you have caching enabled, you will need to allowlist the specific Redis digest that you want to deploy for caching or sign it with one of Connaisseur's supported signing solutions, including Notary v1 in order for Connaisseur upgrades to work