diff --git a/cmd/moby/build.go b/cmd/moby/build.go
index 986006605..a835899ea 100644
--- a/cmd/moby/build.go
+++ b/cmd/moby/build.go
@@ -262,13 +262,14 @@ func buildInternal(m Moby, pull bool) []byte {
 	}
 	for i, image := range m.Onboot {
 		log.Infof("  Create OCI config for %s", image.Image)
-		config, err := ConfigToOCI(image)
+		useTrust := enforceContentTrust(image.Image, &m.Trust)
+		config, err := ConfigToOCI(image, useTrust)
 		if err != nil {
 			log.Fatalf("Failed to create config.json for %s: %v", image.Image, err)
 		}
 		so := fmt.Sprintf("%03d", i)
 		path := "containers/onboot/" + so + "-" + image.Name
-		out, err := ImageBundle(path, image.Image, config, enforceContentTrust(image.Image, &m.Trust), pull)
+		out, err := ImageBundle(path, image.Image, config, useTrust, pull)
 		if err != nil {
 			log.Fatalf("Failed to extract root filesystem for %s: %v", image.Image, err)
 		}
@@ -281,12 +282,13 @@ func buildInternal(m Moby, pull bool) []byte {
 	}
 	for _, image := range m.Services {
 		log.Infof("  Create OCI config for %s", image.Image)
-		config, err := ConfigToOCI(image)
+		useTrust := enforceContentTrust(image.Image, &m.Trust)
+		config, err := ConfigToOCI(image, useTrust)
 		if err != nil {
 			log.Fatalf("Failed to create config.json for %s: %v", image.Image, err)
 		}
 		path := "containers/services/" + image.Name
-		out, err := ImageBundle(path, image.Image, config, enforceContentTrust(image.Image, &m.Trust), pull)
+		out, err := ImageBundle(path, image.Image, config, useTrust, pull)
 		if err != nil {
 			log.Fatalf("Failed to extract root filesystem for %s: %v", image.Image, err)
 		}
diff --git a/cmd/moby/config.go b/cmd/moby/config.go
index fa6c5a4d1..5d7ecf301 100644
--- a/cmd/moby/config.go
+++ b/cmd/moby/config.go
@@ -202,7 +202,7 @@ func NewImage(config []byte) (MobyImage, error) {
 }
 
 // ConfigToOCI converts a config specification to an OCI config file
-func ConfigToOCI(image MobyImage) ([]byte, error) {
+func ConfigToOCI(image MobyImage, trust bool) ([]byte, error) {
 
 	// TODO pass through same docker client to all functions
 	cli, err := dockerClient()
@@ -210,7 +210,7 @@ func ConfigToOCI(image MobyImage) ([]byte, error) {
 		return []byte{}, err
 	}
 
-	inspect, err := dockerInspectImage(cli, image.Image)
+	inspect, err := dockerInspectImage(cli, image.Image, trust)
 	if err != nil {
 		return []byte{}, err
 	}
diff --git a/cmd/moby/docker.go b/cmd/moby/docker.go
index 1c3b8bcba..c297e4b38 100644
--- a/cmd/moby/docker.go
+++ b/cmd/moby/docker.go
@@ -175,13 +175,13 @@ func dockerClient() (*client.Client, error) {
 	return client.NewEnvClient()
 }
 
-func dockerInspectImage(cli *client.Client, image string) (types.ImageInspect, error) {
+func dockerInspectImage(cli *client.Client, image string, trustedPull bool) (types.ImageInspect, error) {
 	log.Debugf("docker inspect image: %s", image)
 
 	inspect, _, err := cli.ImageInspectWithRaw(context.Background(), image)
 	if err != nil {
 		if client.IsErrImageNotFound(err) {
-			pullErr := dockerPull(image, true, false)
+			pullErr := dockerPull(image, true, trustedPull)
 			if pullErr != nil {
 				return types.ImageInspect{}, pullErr
 			}