script checksums?

[gwynforthewyn]

Hey folks -

I checked the docker website and this repository and couldn't find a checksum to validate the script against.

Do you publish a checksum for the script? I believe checksum validation is a known first line of defence against supply-chain attacks, so it'd be nice to have them.

[thaJeztah]

We don't currently publish checksums, but the scripts published at get.docker.com do contain the commit that they were published from. For example, currently the script that's published is at commit 6d9743e;

curl -fsSL https://get.docker.com > install.sh
cat install.sh | grep SCRIPT_COMMIT_SHA=
SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"

With that, you should be able to verify that the content of the script you downloaded matches the expected content (baring the actual SCRIPT_COMMIT_SHA line);

export SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
git diff --no-index ./install.sh <(curl -fsSL "https://raw.githubusercontent.com/docker/docker-install/${SCRIPT_COMMIT_SHA}/install.sh")
diff --git a/dev/fd/63 b/dev/fd/62
--- a/dev/fd/63
+++ b/dev/fd/62
@@ -80,7 +80,7 @@ set -e

 # Git commit from https://github.com/docker/docker-install when
 # the script was uploaded (Should only be modified by upload job):
-SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
+SCRIPT_COMMIT_SHA="${LOAD_SCRIPT_COMMIT_SHA}"

 # strip "v" prefix if present
 VERSION="${VERSION#v}"

Or if you have envsubst installed, you could substitute the $LOAD_SCRIPT_COMMIT_SHA in the script to make sure there's no diff;

export LOAD_SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
git diff --no-index ./install.sh <(curl -fsSL "https://raw.githubusercontent.com/docker/docker-install/${LOAD_SCRIPT_COMMIT_SHA}/install.sh" | envsubst '$LOAD_SCRIPT_COMMIT_SHA')

[thaJeztah]

Looks like this is a duplicate of #299

closing as duplicate of #299