script checksums?
gwynforthewyn opened this issue · 2 comments
Hey folks -
I checked the docker website and this repository and couldn't find a checksum to validate the script against.
Do you publish a checksum for the script? I believe checksum validation is a known first line of defence against supply-chain attacks, so it'd be nice to have them.
We don't currently publish checksums, but the scripts published at get.docker.com do contain the commit that they were published from. For example, currently the script that's published is at commit 6d9743e;
curl -fsSL https://get.docker.com > install.sh
cat install.sh | grep SCRIPT_COMMIT_SHA=
SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"With that, you should be able to verify that the content of the script you downloaded matches the expected content (baring the actual SCRIPT_COMMIT_SHA line);
export SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
git diff --no-index ./install.sh <(curl -fsSL "https://raw.githubusercontent.com/docker/docker-install/${SCRIPT_COMMIT_SHA}/install.sh")
diff --git a/dev/fd/63 b/dev/fd/62
--- a/dev/fd/63
+++ b/dev/fd/62
@@ -80,7 +80,7 @@ set -e
# Git commit from https://github.com/docker/docker-install when
# the script was uploaded (Should only be modified by upload job):
-SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
+SCRIPT_COMMIT_SHA="${LOAD_SCRIPT_COMMIT_SHA}"
# strip "v" prefix if present
VERSION="${VERSION#v}"Or if you have envsubst installed, you could substitute the $LOAD_SCRIPT_COMMIT_SHA in the script to make sure there's no diff;
export LOAD_SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
git diff --no-index ./install.sh <(curl -fsSL "https://raw.githubusercontent.com/docker/docker-install/${LOAD_SCRIPT_COMMIT_SHA}/install.sh" | envsubst '$LOAD_SCRIPT_COMMIT_SHA')