diff --git a/src/cmd/linuxkit/pkg.go b/src/cmd/linuxkit/pkg.go
index 57777f6e1..01f7b45d3 100644
--- a/src/cmd/linuxkit/pkg.go
+++ b/src/cmd/linuxkit/pkg.go
@@ -20,7 +20,7 @@ func pkgUsage() {
 	fmt.Printf("See '%s pkg [command] --help' for details.\n\n", invoked)
 }
 
-func setupContentTrust() {
+func setupContentTrustPassphrase() {
 	// If it is already set there is nothing to do.
 	if _, ok := os.LookupEnv("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE"); ok {
 		return
@@ -49,8 +49,6 @@ func pkg(args []string) {
 		os.Exit(1)
 	}
 
-	setupContentTrust()
-
 	switch args[0] {
 	case "build":
 		pkgBuild(args[1:])
diff --git a/src/cmd/linuxkit/pkg_push.go b/src/cmd/linuxkit/pkg_push.go
index a66faef94..7a84779fa 100644
--- a/src/cmd/linuxkit/pkg_push.go
+++ b/src/cmd/linuxkit/pkg_push.go
@@ -28,6 +28,10 @@ func pkgPush(args []string) {
 		os.Exit(1)
 	}
 
+	if p.TrustEnabled() {
+		setupContentTrustPassphrase()
+	}
+
 	fmt.Printf("Building and pushing %q\n", p.Tag())
 
 	var opts []pkglib.BuildOpt
diff --git a/src/cmd/linuxkit/pkglib/pkglib.go b/src/cmd/linuxkit/pkglib/pkglib.go
index 27e401f77..a5578d7f9 100644
--- a/src/cmd/linuxkit/pkglib/pkglib.go
+++ b/src/cmd/linuxkit/pkglib/pkglib.go
@@ -192,6 +192,11 @@ func (p Pkg) Tag() string {
 	return p.org + "/" + p.image + ":" + p.hash
 }
 
+// TrustEnabled returns true if trust is enabled
+func (p Pkg) TrustEnabled() bool {
+	return p.trust
+}
+
 func (p Pkg) archSupported(want string) bool {
 	for _, supp := range p.arches {
 		if supp == want {