diff --git a/cmd/moby/build.go b/cmd/moby/build.go
index 390d69554..5524fd55d 100644
--- a/cmd/moby/build.go
+++ b/cmd/moby/build.go
@@ -123,7 +123,7 @@ func buildInternal(name string, pull bool, config []byte) {
 		kernelAltName = "bzImage"
 		ktarName      = "kernel.tar"
 	)
-	out, err := ImageExtract(m.Kernel.Image, "")
+	out, err := ImageExtract(m.Kernel.Image, "", enforceContentTrust(m.Kernel.Image, &m.Trust), pull)
 	if err != nil {
 		log.Fatalf("Failed to extract kernel image and tarball: %v", err)
 	}
@@ -138,15 +138,8 @@ func buildInternal(name string, pull bool, config []byte) {
 	// convert init images to tarballs
 	log.Infof("Add init containers:")
 	for _, ii := range m.Init {
-		if pull || enforceContentTrust(ii, &m.Trust) {
-			log.Infof("Pull init image: %s", ii)
-			err := dockerPull(ii, enforceContentTrust(ii, &m.Trust))
-			if err != nil {
-				log.Fatalf("Could not pull image %s: %v", ii, err)
-			}
-		}
 		log.Infof("Process init image: %s", ii)
-		init, err := ImageExtract(ii, "")
+		init, err := ImageExtract(ii, "", enforceContentTrust(ii, &m.Trust), pull)
 		if err != nil {
 			log.Fatalf("Failed to build init tarball from %s: %v", ii, err)
 		}
@@ -156,13 +149,6 @@ func buildInternal(name string, pull bool, config []byte) {
 
 	log.Infof("Add onboot containers:")
 	for i, image := range m.Onboot {
-		if pull || enforceContentTrust(image.Image, &m.Trust) {
-			log.Infof("  Pull: %s", image.Image)
-			err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust))
-			if err != nil {
-				log.Fatalf("Could not pull image %s: %v", image.Image, err)
-			}
-		}
 		log.Infof("  Create OCI config for %s", image.Image)
 		config, err := ConfigToOCI(&image)
 		if err != nil {
@@ -170,7 +156,7 @@ func buildInternal(name string, pull bool, config []byte) {
 		}
 		so := fmt.Sprintf("%03d", i)
 		path := "containers/onboot/" + so + "-" + image.Name
-		out, err := ImageBundle(path, image.Image, config)
+		out, err := ImageBundle(path, image.Image, config, enforceContentTrust(image.Image, &m.Trust), pull)
 		if err != nil {
 			log.Fatalf("Failed to extract root filesystem for %s: %v", image.Image, err)
 		}
@@ -180,20 +166,13 @@ func buildInternal(name string, pull bool, config []byte) {
 
 	log.Infof("Add service containers:")
 	for _, image := range m.Services {
-		if pull || enforceContentTrust(image.Image, &m.Trust) {
-			log.Infof("  Pull: %s", image.Image)
-			err := dockerPull(image.Image, enforceContentTrust(image.Image, &m.Trust))
-			if err != nil {
-				log.Fatalf("Could not pull image %s: %v", image.Image, err)
-			}
-		}
 		log.Infof("  Create OCI config for %s", image.Image)
 		config, err := ConfigToOCI(&image)
 		if err != nil {
 			log.Fatalf("Failed to create config.json for %s: %v", image.Image, err)
 		}
 		path := "containers/services/" + image.Name
-		out, err := ImageBundle(path, image.Image, config)
+		out, err := ImageBundle(path, image.Image, config, enforceContentTrust(image.Image, &m.Trust), pull)
 		if err != nil {
 			log.Fatalf("Failed to extract root filesystem for %s: %v", image.Image, err)
 		}
diff --git a/cmd/moby/image.go b/cmd/moby/image.go
index 5c132f6ac..0b4bf4c2a 100644
--- a/cmd/moby/image.go
+++ b/cmd/moby/image.go
@@ -40,7 +40,7 @@ nameserver 2001:4860:4860::8844
 }
 
 // ImageExtract extracts the filesystem from an image and returns a tarball with the files prefixed by the given path
-func ImageExtract(image, prefix string) ([]byte, error) {
+func ImageExtract(image, prefix string, trust bool, pull bool) ([]byte, error) {
 	log.Debugf("image extract: %s %s", image, prefix)
 	out := new(bytes.Buffer)
 	tw := tar.NewWriter(out)
@@ -48,7 +48,7 @@ func ImageExtract(image, prefix string) ([]byte, error) {
 	if err != nil {
 		return []byte{}, err
 	}
-	err = imageTar(image, prefix, tw)
+	err = imageTar(image, prefix, tw, trust, pull)
 	if err != nil {
 		return []byte{}, err
 	}
@@ -87,14 +87,31 @@ func tarPrefix(path string, tw *tar.Writer) error {
 	return nil
 }
 
-func imageTar(image, prefix string, tw *tar.Writer) error {
+func imageTar(image, prefix string, tw *tar.Writer, trust bool, pull bool) error {
 	log.Debugf("image tar: %s %s", image, prefix)
 	if prefix != "" && prefix[len(prefix)-1] != byte('/') {
 		return fmt.Errorf("prefix does not end with /: %s", prefix)
 	}
+
+	if pull || trust {
+		log.Infof("Pull image: %s", image)
+		err := dockerPull(image, trust)
+		if err != nil {
+			return fmt.Errorf("Could not pull image %s: %v", image, err)
+		}
+	}
 	container, err := dockerCreate(image)
 	if err != nil {
-		return fmt.Errorf("Failed to docker create image %s: %v", image, err)
+		// most likely we need to pull the image if this failed
+		log.Infof("Pull image: %s", image)
+		err := dockerPull(image, trust)
+		if err != nil {
+			return fmt.Errorf("Could not pull image %s: %v", image, err)
+		}
+		container, err = dockerCreate(image)
+		if err != nil {
+			return fmt.Errorf("Failed to docker create image %s: %v", image, err)
+		}
 	}
 	contents, err := dockerExport(container)
 	if err != nil {
@@ -161,7 +178,7 @@ func imageTar(image, prefix string, tw *tar.Writer) error {
 }
 
 // ImageBundle produces an OCI bundle at the given path in a tarball, given an image and a config.json
-func ImageBundle(path string, image string, config []byte) ([]byte, error) {
+func ImageBundle(path string, image string, config []byte, trust bool, pull bool) ([]byte, error) {
 	log.Debugf("image bundle: %s %s cfg: %s", path, image, string(config))
 	out := new(bytes.Buffer)
 	tw := tar.NewWriter(out)
@@ -183,7 +200,7 @@ func ImageBundle(path string, image string, config []byte) ([]byte, error) {
 	if err != nil {
 		return []byte{}, err
 	}
-	err = imageTar(image, path+"/rootfs/", tw)
+	err = imageTar(image, path+"/rootfs/", tw, trust, pull)
 	if err != nil {
 		return []byte{}, err
 	}