What changed
FACT: Docker announced it is fully retiring Docker Content Trust (DCT) and the Notary v1 service at notary.docker.io, with migration guidance to Sigstore/Cosign and Notation (docker.com blog, signal 620).
Why now
HYPOTHESIS: a published shutdown date puts DCT verification on a clock β image trust data served by notary.docker.io stops resolving at cutoff, so any pipeline still running DOCKER_CONTENT_TRUST=1 breaks. The window between announcement and shutdown is the only time this tool is relevant.
Converging signals
Weak: this is effectively ONE signal (Docker's retirement notice) framed as a chain. The 'platform + dev' bridge is a single vendor deprecation, not multiple independent signals meeting.
Customer pain
HYPOTHESIS: teams with DCT in CI must swap signing/verification or their builds fail at cutoff. INFERENCE: real DCT adoption is low and has been declining for years β most security-conscious teams already moved to Cosign, so the affected population is smaller than the 'every CI/CD flow' framing implies. No demand_evidence provided (empty array) β pain is asserted, not proven.
Who pays
DevOps/platform engineering teams still using DCT. INFERENCE: these are exactly the buyers most able to run `cosign` themselves for free following Docker's own guide.
Solved today
FACT: Docker publishes free migration guidance; Sigstore/Cosign and Notation are free, open-source, and heavily documented. Teams migrate by hand with a short script.
Why current solutions are bad
HYPOTHESIS: a manual migration across many images/repos is tedious and error-prone, and a compliance report is nice-to-have β but this is a convenience gap, not an unmet need.
Proposed product
CLI that scans a registry/CI for DCT-signed images and DOCKER_CONTENT_TRUST usage, re-signs with Cosign/Notation, rewrites verification steps in common CI configs, and outputs a before/after attestation report. Paid tier: hosted audit + signed compliance PDF.
MVP version
Open-source CLI: inventory DCT signatures via the Notary API before it dies, generate Cosign keypairs/keyless flow, emit a migration plan + PR patches for GitHub Actions/GitLab CI.
30-day build
Ship the free CLI on GitHub, write a migration blog post targeting the exact search terms, get it into Sigstore/DevOps newsletters.
60-day build
Add the paid audit tier and a CI plugin; pursue design-partner teams from inbound.
90-day revenue plan
HYPOTHESIS: a handful of paid audits ($500β2k each) IF enough late-migrating teams surface β but revenue evaporates once the shutdown passes.
Distribution path
GitHub, Hacker News/Reddit r/devops, Sigstore community, SEO on 'notary.docker.io shutdown migrate'.
Pricing hypothesis
Free CLI; $499β$1,999 one-time audit/report tier; optional $99/mo verification-drift monitor to create recurrence.
Technical difficulty
Low-to-moderate: wrapping cosign/notation and parsing CI YAML is straightforward for this founder.
Legal / regulatory risk
Low.
Platform dependency
Depends entirely on a single vendor's deprecation timeline; no government portal here, so the platform-risk exemption does not apply β Docker/Sigstore own the ecosystem.
Founder fit
Low. This is NOT the founder's primary thesis: no public money, no forced-filer/government-portal mandate, no per-filing transaction against a compelled buyer. It's discretionary dev tooling competing with free OSS.
Breakout potential
Low. Intrinsically a one-time migration event with a hard expiry; the only durable seam is turning it into an ongoing supply-chain/signature-drift monitor, which is a different, crowded product (already served by Sigstore ecosystem tools).
Final recommendation
PASS / build-only-as-marketing. If built at all, ship the free CLI purely as a lead magnet β do not expect it to be a sellable product. It fails on founder-fit, competitive gap (free OSS + vendor guide), and one-time-event durability. Redirect effort to public-money / forced-filer opportunities that match the founder's proven edge.
Next action
Confirm Docker's actual published shutdown date and estimate residual DCT usage (registry telemetry / GitHub code search for DOCKER_CONTENT_TRUST); if the population is negligible, drop it.