What Docker client feature, when enabled, helps verify the authenticity and integrity of images during pull operations by checking digital signatures?

The Docker client feature that, when enabled, helps verify the authenticity and integrity of images during pull operations by checking digital signatures is Docker Content Trust. When Docker Content Trust is active, the Docker client enforces a policy where images must be digitally signed by their publishers. A digital signature serves as a cryptographic proof that verifies two critical aspects: authenticity, which confirms that the image genuinely originates from the stated publisher, and integrity, which guarantees that the image has not been modified or tampered with since it was originally signed. Before a pull operation is completed, the Docker client automatically verifies these digital signatures. If an image lacks a valid signature, or if the signature verification fails, the Docker client will prevent the image from being pulled, thereby protecting against unsigned or compromised images. This essential security feature is enabled by setting the environment variable `DOCKER_CONTENT_TRUST` to `1` (for example, `export DOCKER_CONTENT_TRUST=1`) in the environment where Docker commands are executed.