[feature] SHA256 for Install Script

[sc250024]

Description

For security purposes, it would be nice if this repository could also publish a SHA256 file (maybe https://get.docker.com/SHA256SUM) so that the script itself can be verified before running.

[thaJeztah]

We don't currently publish checksums, but the scripts published at get.docker.com do contain the commit that they were published from. For example, currently the script that's published is at commit 6d9743e;

curl -fsSL https://get.docker.com > install.sh
cat install.sh | grep SCRIPT_COMMIT_SHA=
SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"

With that, you should be able to verify that the content of the script you downloaded matches the expected content (baring the actual SCRIPT_COMMIT_SHA line);

export SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
git diff --no-index ./install.sh <(curl -fsSL "https://raw.githubusercontent.com/docker/docker-install/${SCRIPT_COMMIT_SHA}/install.sh")
diff --git a/dev/fd/63 b/dev/fd/62
--- a/dev/fd/63
+++ b/dev/fd/62
@@ -80,7 +80,7 @@ set -e

 # Git commit from https://github.com/docker/docker-install when
 # the script was uploaded (Should only be modified by upload job):
-SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
+SCRIPT_COMMIT_SHA="${LOAD_SCRIPT_COMMIT_SHA}"

 # strip "v" prefix if present
 VERSION="${VERSION#v}"

Or if you have envsubst installed, you could substitute the $LOAD_SCRIPT_COMMIT_SHA in the script to make sure there's no diff;

export LOAD_SCRIPT_COMMIT_SHA="6d9743e9656cc56f699a64800b098d5ea5a60020"
git diff --no-index ./install.sh <(curl -fsSL "https://raw.githubusercontent.com/docker/docker-install/${LOAD_SCRIPT_COMMIT_SHA}/install.sh" | envsubst '$LOAD_SCRIPT_COMMIT_SHA')