问题描述

安装docker过程中需要add Docker’s official GPG key.

Why do we need

This is not Docker-specific. Most Linux package managers have the ability to validate the itegrity of a software package before installation by verifying it’s PGP(GPG) key.

Most modern Linux distributions come with a set of PGP keys installed for the default repositories for that distribution. As Docker updates their packages at different frequencies than the distibutions, they have chosen to run their own package repositories for major distributions. When you’re configuring your system to install packages from one of those repositories, you have to add the public key so you can validate the image.

This is not something that has to be done - RedHat’s yum has --nogpgcheck, and Debian’s dpkg has --no-debsig, both which allow skipping validation of the signatures. The installer does so at their own risk.

PGP VS. GPG

PGP - Pretty Goog Privacy

It was created in the 1990s and is currently owned by security software company Symantec.

Open PGP

PGP is the backbone of Open PGP, which is an open source standard that allows PGP to be used in software that is typically free to the public.

GPG-GNU Privacy Guard

A different implementation of the Open PGP.

GPG is defined by RFC 4880 (the official name for the Open PGP standard)

References