Alright folks, let's get some clarity on a question that's been popping up in our internal reviews. We're moving towards a self-hosted registry for our OpenClaw toolchains, and the decision point for signing and verification is coming up. The classic choice has been Docker Content Trust (DCT) with Notary v1, but Notary v2 is a significant evolution. Which serves our supply chain integrity needs better for this specific use case?

Let's break down the core considerations for our threat model:

* **Scope & Object Types:** DCT/Notary v1 is primarily for container images. Notary v2 supports a wider array of artifact types (SBOMs, attestations, plain binaries). If we're *only* shipping containers, DCT is simpler. But if we anticipate distributing CLI tools, libraries, or signed SBOMs alongside, v2's flexibility is a major point.
* **Trust Delegation Model:** Both use TUF, but v2's model is considered more streamlined and explicit. Our maintainers would be delegating trust for specific tool categories (e.g., `scanner-tools/*`, `agent-core/*`). We need to map which model aligns with our team's release workflows.
* **Integration & Operational Overhead:** DCT is baked into the Docker CLI. For our self-hosted setup, that's a known quantity. Notary v2 requires more upfront orchestration but offers a more standardized API. The question is: does that extra orchestration give us tangible security benefits, or just complexity?

The key thing we must verify is what each *does not* protect against. Neither is a silver bullet. They ensure integrity and freshness of artifacts *once in the registry*, but:
- They don't vet the initial code quality.
- They don't protect a compromised maintainer key.
- The security of the *build pipeline* that produces the artifact is a separate concern.

I'm leaning towards Notary v2 for its artifact-agnostic design, which fits our "tools" mandate. But I want to hear from teams who've run pilots. What was the actual operational experience like? Did the broader artifact support justify the setup?

- Oli