Convergence Radar Convergence Engine

← Feed

D

DCT-to-Cosign migration CLI + paid cutover audit before notary.docker.io goes dark

31/100

A one-shot tool that inventories Docker Content Trust–signed images, re-signs them with Cosign/Notation, rewrites CI verification, and emits a compliance report β€” free CLI plus a paid team/audit tier.

Archive. Β· created 2026-07-12 05:08 UTC

saasapilong-termtoo complexrevisit later

Scorecard

newness 6/10
convergence 3/10
demand evidence 2/10
existing spend 3/10
solo feasibility 7/10
speed to mvp 8/10
speed to revenue 3/10
distribution 5/10
competitive gap 2/10
expansion 2/10
founder fit 3/10

Penalty flags
platform policy risk adequate free path one time event (βˆ’10 from raw 41)

Opportunity brief

What changed
FACT: Docker announced it is fully retiring Docker Content Trust (DCT) and the Notary v1 service at notary.docker.io, with migration guidance to Sigstore/Cosign and Notation (docker.com blog, signal 620).
Why now
HYPOTHESIS: a published shutdown date puts DCT verification on a clock β€” image trust data served by notary.docker.io stops resolving at cutoff, so any pipeline still running DOCKER_CONTENT_TRUST=1 breaks. The window between announcement and shutdown is the only time this tool is relevant.
Converging signals
Weak: this is effectively ONE signal (Docker's retirement notice) framed as a chain. The 'platform + dev' bridge is a single vendor deprecation, not multiple independent signals meeting.
Customer pain
HYPOTHESIS: teams with DCT in CI must swap signing/verification or their builds fail at cutoff. INFERENCE: real DCT adoption is low and has been declining for years β€” most security-conscious teams already moved to Cosign, so the affected population is smaller than the 'every CI/CD flow' framing implies. No demand_evidence provided (empty array) β€” pain is asserted, not proven.
Who pays
DevOps/platform engineering teams still using DCT. INFERENCE: these are exactly the buyers most able to run `cosign` themselves for free following Docker's own guide.
Solved today
FACT: Docker publishes free migration guidance; Sigstore/Cosign and Notation are free, open-source, and heavily documented. Teams migrate by hand with a short script.
Why current solutions are bad
HYPOTHESIS: a manual migration across many images/repos is tedious and error-prone, and a compliance report is nice-to-have β€” but this is a convenience gap, not an unmet need.
Proposed product
CLI that scans a registry/CI for DCT-signed images and DOCKER_CONTENT_TRUST usage, re-signs with Cosign/Notation, rewrites verification steps in common CI configs, and outputs a before/after attestation report. Paid tier: hosted audit + signed compliance PDF.
MVP version
Open-source CLI: inventory DCT signatures via the Notary API before it dies, generate Cosign keypairs/keyless flow, emit a migration plan + PR patches for GitHub Actions/GitLab CI.
30-day build
Ship the free CLI on GitHub, write a migration blog post targeting the exact search terms, get it into Sigstore/DevOps newsletters.
60-day build
Add the paid audit tier and a CI plugin; pursue design-partner teams from inbound.
90-day revenue plan
HYPOTHESIS: a handful of paid audits ($500–2k each) IF enough late-migrating teams surface β€” but revenue evaporates once the shutdown passes.
Distribution path
GitHub, Hacker News/Reddit r/devops, Sigstore community, SEO on 'notary.docker.io shutdown migrate'.
Pricing hypothesis
Free CLI; $499–$1,999 one-time audit/report tier; optional $99/mo verification-drift monitor to create recurrence.
Technical difficulty
Low-to-moderate: wrapping cosign/notation and parsing CI YAML is straightforward for this founder.
Legal / regulatory risk
Low.
Platform dependency
Depends entirely on a single vendor's deprecation timeline; no government portal here, so the platform-risk exemption does not apply β€” Docker/Sigstore own the ecosystem.
Founder fit
Low. This is NOT the founder's primary thesis: no public money, no forced-filer/government-portal mandate, no per-filing transaction against a compelled buyer. It's discretionary dev tooling competing with free OSS.
Breakout potential
Low. Intrinsically a one-time migration event with a hard expiry; the only durable seam is turning it into an ongoing supply-chain/signature-drift monitor, which is a different, crowded product (already served by Sigstore ecosystem tools).
Final recommendation
PASS / build-only-as-marketing. If built at all, ship the free CLI purely as a lead magnet β€” do not expect it to be a sellable product. It fails on founder-fit, competitive gap (free OSS + vendor guide), and one-time-event durability. Redirect effort to public-money / forced-filer opportunities that match the founder's proven edge.
Next action
Confirm Docker's actual published shutdown date and estimate residual DCT usage (registry telemetry / GitHub code search for DOCKER_CONTENT_TRUST); if the population is negligible, drop it.

Kill arguments (adversarial)

Competitors

β€’ Sigstore / Cosign (link) β€” Free, open-source signing/verification and the recommended migration target β€” the default DIY path.
β€’ Notation (Notary Project) (link) β€” Free OSS signing tool Docker points migrators toward; commoditizes the core action.
β€’ Docker migration guidance (link) β€” The vendor's own free step-by-step guide β€” the adequate free path competing with any paid tool.

Source citations (facts)

β€’ Docker Content Trust: Retirement and Migration Guidance β€” Docker is fully retiring Docker Content Trust and the notary.docker.io Notary v1 service and publishing migration guidance to Cosign/Notation.

Actions