diff --git a/.github/test/on-master-event.json b/.github/test/on-master-event.json
new file mode 100644
index 000000000..c497522e6
--- /dev/null
+++ b/.github/test/on-master-event.json
@@ -0,0 +1,7 @@
+{
+  "release": {
+    "head": {
+      "ref": "master"
+    }
+  }
+}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a037abf2f..792186e35 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -60,6 +60,41 @@ jobs:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
           DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
 
+      - name: Setup Docker Trust
+        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        run: |
+          mkdir -p ~/.docker/trust/private
+
+          echo "${{ secrets.DOCKER_DELEGATION_KEY }}" > ~/.docker/trust/private/$DOCKER_DELEGATION_KEY_ID.key
+          echo "${{ secrets.DOCKER_REPO_API_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_API_ID.key
+          echo "${{ secrets.DOCKER_REPO_IDENTITY_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_IDENTITY_ID.key
+          echo "${{ secrets.DOCKER_REPO_SERVER_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_SERVER_ID.key
+          echo "${{ secrets.DOCKER_REPO_ATTACHMENTS_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_ATTACHMENTS_ID.key
+          echo "${{ secrets.DOCKER_REPO_ICONS_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_ICONS_ID.key
+          echo "${{ secrets.DOCKER_REPO_NOTIFICATIONS_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_NOTIFICATIONS_ID.key
+          echo "${{ secrets.DOCKER_REPO_EVENTS_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_EVENTS_ID.key
+          echo "${{ secrets.DOCKER_REPO_ADMIN_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_ADMIN_ID.key
+          echo "${{ secrets.DOCKER_REPO_NGINX_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_NGINX_ID.key
+          echo "${{ secrets.DOCKER_REPO_SSO_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_SSO_ID.key
+          echo "${{ secrets.DOCKER_REPO_PORTAL_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_PORTAL_ID.key
+          echo "${{ secrets.DOCKER_REPO_MSSQL_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_MSSQL_ID.key
+          echo "${{ secrets.DOCKER_REPO_SETUP_KEY }}" > ~/.docker/trust/private/$DOCKER_REPO_SETUP_ID.key
+        env:
+          DOCKER_DELEGATION_KEY_ID: "5702b22123e058cbd96a7a43000cb981ae98ef3f2f4aa34138ab3dc1d011e446"
+          DOCKER_REPO_API_ID: "525fa3e70b84669c9fe489c5a3d0974898d14c0807b19447242c60ed8d4ca766"
+          DOCKER_REPO_IDENTITY_ID: "084da6ea47ba1c4f34c2870a78a17739cd5df50359d2c2c7616822632df726d3"
+          DOCKER_REPO_SERVER_ID: "ffbee21a1a71854a1c1310df4f5aded41726dd90d61050a6256168cd9268b1ee"
+          DOCKER_REPO_ATTACHMENTS_ID: "e40fbcb5b273ad601c00ea905ca326ab68b395f17a46a8530e0ddd7d12bd4240"
+          DOCKER_REPO_ICONS_ID: "0d3f5c6854610bd3d9b9c0a6851fe525b057976b46cb0f47de3942cf3b0be394"
+          DOCKER_REPO_NOTIFICATIONS_ID: "1bf8d22352ec65a6c9b9282c454462240e0a1eb78bff03b65b5a4b7887599ab2"
+          DOCKER_REPO_EVENTS_ID: "1020320052e6247f3c5fbfc2a3bfb0efc7e247f8a5a187dc03f60848359ac7c9"
+          DOCKER_REPO_ADMIN_ID: "c5d80db8745fcd7a1510c3fba5c65582cfc2453d2b1eeb292abe79eb1351cf5c"
+          DOCKER_REPO_NGINX_ID: "bf3d3247f5c2be73bbe830cddbae445c29e4fcc9e2fb4b4d39abf86a2740098b"
+          DOCKER_REPO_SSO_ID: "97a5f6d29b255ff709ec63faad27c2f76246f006563bf3ecbb71547325c05815"
+          DOCKER_REPO_PORTAL_ID: "4f358aa0a41c9a6650f5d2f907c2de418df34ddf3ee45e0994be7cc2dcd0b56e"
+          DOCKER_REPO_MSSQL_ID: "30a44d7efbe48d30ed06abef003d2d8990205dad6a034617cddc03548f8c084e"
+          DOCKER_REPO_SETUP_ID: "2932fb9c39b7eacf4418c7c9ee4c823f973c426412ddd64d7f9f0b6f940b8428"
+
       - name: Checkout repo
         uses: actions/checkout@v2
 
@@ -73,6 +108,7 @@ jobs:
 
       - name: Tag dev
         if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+
         run: ./build.sh tag dev
 
       - name: Tag beta
@@ -93,14 +129,23 @@ jobs:
       - name: Push dev images
         if: github.ref == 'refs/heads/master' || github.event_name == 'release'
         run: ./build.sh push dev
+        env:
+          DOCKER_CONTENT_TRUST: 1
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
 
       - name: Push beta images
         if: github.event_name == 'release'
         run: ./build.sh push beta
+        env:
+          DOCKER_CONTENT_TRUST: 1
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
 
       - name: Push latest images
         if: github.event_name == 'release'
         run: ./build.sh push latest
+        env:
+          DOCKER_CONTENT_TRUST: 1
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
 
       - name: Push version images
         if: github.event_name == 'release'
@@ -108,6 +153,8 @@ jobs:
         shell: pwsh
         env:
           RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+          DOCKER_CONTENT_TRUST: 1
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ secrets.DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE }}
 
       - name: Make docker stub
         run: |
diff --git a/.gitignore b/.gitignore
index f470ba645..58cf11336 100644
--- a/.gitignore
+++ b/.gitignore
@@ -213,3 +213,4 @@ bitwarden_license/src/Portal/wwwroot/lib
 bitwarden_license/src/Portal/wwwroot/css
 bitwarden_license/src/Sso/wwwroot/lib
 bitwarden_license/src/Sso/wwwroot/css
+.github/test/build.secrets