diff --git a/docs/yaml.md b/docs/yaml.md
index d4833cb6c..74a0fc0f5 100644
--- a/docs/yaml.md
+++ b/docs/yaml.md
@@ -35,6 +35,18 @@ These containers are started with `containerd` and are expected to remain runnin
 is not guaranteed, so containers should wait on any resources, such as networking, that they need.
 For details of the config for each container, see below.
 
+## `trust`
+
+This section specifies which build components are to be cryptographically verified with
+[Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) prior to pulling.
+Trust is a central concern in any build system, and Moby's is no exception: Docker Content Trust provides authenticity,
+integrity, and freshness guarantees for the components it verifies.  The Moby maintainers are responsible for signing
+`mobylinux` components, though collaborators can sign their own images with Docker Content Trust or [Notary](https://github.com/docker/notary).
+
+- `image` lists which individual images to enforce pulling with Docker Content Trust.
+The image name may include tag or digest, but the matching also succeeds if the base image name is the same.
+- `org` lists which organizations for which Docker Content Trust is to be enforced across all images (ex: `mobylinux` is the org for `mobylinux/kernel`)
+
 ## `output`
 
 This section specifies the output formats that are created. Files are created with the base name of