DTR is the second part of Docker's extended EE offering. (I covered Universal Control Plane (UCP) in Chapter 8, Administering and Monitoring Dockerized Solutions.) DTR is a private Docker registry that adds an important piece to the overall security story of the Docker platform: a secure software supply chain.

You can digitally sign Docker images with DTR, and DTR lets you configure who can push and pull images, securely storing all the digital signatures that users have applied to an image. It also works in conjunction with UCP to enforce content trust. With Docker Content Trust, you can set up your cluster so that it only runs containers from images that have been signed by specific users or teams.

This is a powerful feature that meets the audit requirements for a lot of regulated industries. There may be requirements for a company to prove that the software running in production is actually built from the code in the SCM. This is very difficult to do without a software supply chain; you have to rely on manual processes and a document trail. With Docker, you can enforce it at the platform and meet the audit requirements with automated processes.