diff --git a/components/engine/graph/pull.go b/components/engine/graph/pull.go
index b138793d1f..0b75881cde 100644
--- a/components/engine/graph/pull.go
+++ b/components/engine/graph/pull.go
@@ -127,7 +127,7 @@ func (s *TagStore) CmdPull(job *engine.Job) engine.Status {
 		logName += ":" + tag
 	}
 
-	if len(repoInfo.Index.Mirrors) == 0 && (repoInfo.Official || endpoint.Version == registry.APIVersion2) {
+	if len(repoInfo.Index.Mirrors) == 0 && (repoInfo.Index.Official || endpoint.Version == registry.APIVersion2) {
 		j := job.Eng.Job("trust_update_base")
 		if err = j.Run(); err != nil {
 			return job.Errorf("error updating trust base graph: %s", err)
diff --git a/components/engine/graph/push.go b/components/engine/graph/push.go
index 0d008b84c4..88b207a458 100644
--- a/components/engine/graph/push.go
+++ b/components/engine/graph/push.go
@@ -294,13 +294,14 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status {
 		tag = DEFAULTTAG
 	}
 
-	if repoInfo.Official || endpoint.Version == registry.APIVersion2 {
-		j := job.Eng.Job("trust_update_base")
-		if err = j.Run(); err != nil {
-			return job.Errorf("error updating trust base graph: %s", err)
+	if repoInfo.Index.Official || endpoint.Version == registry.APIVersion2 {
+		if repoInfo.Official {
+			j := job.Eng.Job("trust_update_base")
+			if err = j.Run(); err != nil {
+				return job.Errorf("error updating trust base graph: %s", err)
+			}
 		}
 
-		// Get authentication type
 		auth, err := r.GetV2Authorization(repoInfo.RemoteName, false)
 		if err != nil {
 			return job.Errorf("error getting authorization: %s", err)
@@ -383,7 +384,6 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status {
 		// done, no fallback to V1
 		return engine.StatusOK
 	} else {
-
 		if err != nil {
 			reposLen := 1
 			if tag == "" {
diff --git a/components/engine/registry/config.go b/components/engine/registry/config.go
index b5652b15d8..4d13aaea35 100644
--- a/components/engine/registry/config.go
+++ b/components/engine/registry/config.go
@@ -23,7 +23,7 @@ type Options struct {
 const (
 	// Only used for user auth + account creation
 	INDEXSERVER    = "https://index.docker.io/v1/"
-	REGISTRYSERVER = "https://registry-1.docker.io/v1/"
+	REGISTRYSERVER = "https://registry-1.docker.io/v2/"
 	INDEXNAME      = "docker.io"
 
 	// INDEXSERVER = "https://registry-stage.hub.docker.com/v1/"
diff --git a/components/engine/registry/endpoint.go b/components/engine/registry/endpoint.go
index 5c5b052000..9a783f1f05 100644
--- a/components/engine/registry/endpoint.go
+++ b/components/engine/registry/endpoint.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 
 	log "github.com/Sirupsen/logrus"
+	"github.com/docker/docker/registry/v2"
 )
 
 // for mocking in unit tests
@@ -103,6 +104,7 @@ type Endpoint struct {
 	Version        APIVersion
 	IsSecure       bool
 	AuthChallenges []*AuthorizationChallenge
+	URLBuilder     *v2.URLBuilder
 }
 
 // Get the formated URL for the root of this registry Endpoint
diff --git a/components/engine/registry/session_v2.go b/components/engine/registry/session_v2.go
index 407c5f3a23..2304a61344 100644
--- a/components/engine/registry/session_v2.go
+++ b/components/engine/registry/session_v2.go
@@ -13,30 +13,36 @@ import (
 	"github.com/docker/docker/utils"
 )
 
-var registryURLBuilder *v2.URLBuilder
-
-func init() {
-	u, err := url.Parse(REGISTRYSERVER)
-	if err != nil {
-		panic(fmt.Errorf("invalid registry url: %s", err))
-	}
-	registryURLBuilder = v2.NewURLBuilder(u)
-}
-
 func getV2Builder(e *Endpoint) *v2.URLBuilder {
-	return registryURLBuilder
+	if e.URLBuilder == nil {
+		e.URLBuilder = v2.NewURLBuilder(e.URL)
+	}
+	return e.URLBuilder
 }
 
 // GetV2Authorization gets the authorization needed to the given image
 // If readonly access is requested, then only the authorization may
 // only be used for Get operations.
-func (r *Session) GetV2Authorization(imageName string, readOnly bool) (*RequestAuthorization, error) {
+func (r *Session) GetV2Authorization(imageName string, readOnly bool) (auth *RequestAuthorization, err error) {
 	scopes := []string{"pull"}
 	if !readOnly {
 		scopes = append(scopes, "push")
 	}
 
-	return NewRequestAuthorization(r.GetAuthConfig(true), r.indexEndpoint, "repository", imageName, scopes)
+	var registry *Endpoint
+	if r.indexEndpoint.URL.Host == IndexServerURL.Host {
+		registry, err = NewEndpoint(REGISTRYSERVER, nil)
+		if err != nil {
+			return
+		}
+	} else {
+		registry = r.indexEndpoint
+	}
+	registry.URLBuilder = v2.NewURLBuilder(registry.URL)
+	r.indexEndpoint = registry
+
+	log.Debugf("Getting authorization for %s %s", imageName, scopes)
+	return NewRequestAuthorization(r.GetAuthConfig(true), registry, "repository", imageName, scopes)
 }
 
 //