docker
[feature] SHA256 for Install Script
Description
For security purposes, it would be nice if this repository could also publish a SHA256 file (maybe https://get.docker.com/SHA256SUM) so that the script itself can be verified before running.
We don't currently publish checksums, but the scripts published at get.docker.com do contain the commit that they were published from. For example, currently the script that's published is at commit 6d9743e9656cc56f699a64800b098d5ea5a60020;
curl -fsSL https://get.docker.com > install.sh
cat install.sh | grep SCRIPT_COMMIT_SHA=
SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
With that, you should be able to verify that the content of the script you downloaded matches the expected content (baring the actual SCRIPT_COMMIT_SHA line);
export SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
git diff --no-index ./install.sh <(curl -fsSL "https://raw.githubusercontent.com/docker/docker-install/${SCRIPT_COMMIT_SHA}/install.sh")
diff --git a/dev/fd/63 b/dev/fd/62
--- a/dev/fd/63
+++ b/dev/fd/62
@@ -80,7 +80,7 @@ set -e
# Git commit from https://github.com/docker/docker-install when
# the script was uploaded (Should only be modified by upload job):
-SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
+SCRIPT_COMMIT_SHA="${LOAD_SCRIPT_COMMIT_SHA}"
# strip "v" prefix if present
VERSION="${VERSION#v}"
Or if you have envsubst installed, you could substitute the $LOAD_SCRIPT_COMMIT_SHA in the script to make sure there's no diff;
export LOAD_SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
git diff --no-index ./install.sh <(curl -fsSL "https://raw.githubusercontent.com/docker/docker-install/${LOAD_SCRIPT_COMMIT_SHA}/install.sh" | envsubst '$LOAD_SCRIPT_COMMIT_SHA')
