Script at get.docker.com doesn't contain fingerprint

[ghost]

• This is a bug report
• This is a feature request
• I searched existing issues before opening this one

The script at get.docker.com doesn't contain any fingerprint for the apt key. While this makes no difference when downloading it on-demand and piping it into a bash, this makes a big difference in security when downloading it once and baking it into an image, and using this fixed version for a longer time to install docker in a larger deployment.

Expected behavior

the script contains the apt-key fingerprint inside itself, and verifies it

Actual behavior

the script only relies on HTTPS verification, which results in much weaker security in cases where the script isn't downloaded via HTTPS on-demand but baked

Steps to reproduce the behavior

1. Open script at get.docker.com
2. Check for fingerprint verification line (which isn't there)

Output of docker version:
affects website script only

Output of docker info:
affects website script only

Additional environment details (AWS, VirtualBox, physical, etc.)

[justincormack]

For some reason the key checking I added was removed in docker/docker-install#39

This needs to be fixed.

[justincormack]

(We stopped using the gpg servers as they are highly unreliable).

[seemethere]

We download the apt gpg key here:
https://github.com/docker/docker-install/blob/40b1b763998f478b3774d93763ad33eacc77def8/install.sh#L381

It isn't hardcoded into the script because we use get.docker.com against multiple different apt repositories (external and internal).

By default apt repositories use gpg verification, so there's no need for explicit checking since apt will do it for you when you try to install.

Output from script without said line above:

$ sh install.sh
# Executing docker install script, commit: 40b1b76
+ sh -c apt-get update -qq >/dev/null
+ sh -c apt-get install -y -qq apt-transport-https ca-certificates curl >/dev/null
debconf: delaying package configuration, since apt-utils is not installed
+ sh -c echo "deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial edge" > /etc/apt/sources.list.d/docker.list
+ sh -c apt-get update -qq >/dev/null
W: GPG error: https://download.docker.com/linux/ubuntu xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
W: The repository 'https://download.docker.com/linux/ubuntu xenial InRelease' is not signed.
+ sh -c apt-get install -y -qq --no-install-recommends docker-ce >/dev/null
E: There were unauthenticated packages and -y was used without --allow-unauthenticated

[ghost]

@seemethere well but that download isn't verified other than basic HTTPS, is it? that is a significant reduction in security for static use of the script. if you use multiple keys, why not add all of them instead of none?

[JanoschDeurer]

@seemethere why is there an explicit checking against the fingerprint in the manual installation instructions? Isn't that to increase security and should therefore also be build into any automated installation?