pgp.mit.edu is often down. I recommend changing to pool.sks-keyservers.net, which is the SKS key server pool that pgp.mit.edu is a part of. This will generally be more reliable since any member servers (including pgp.mit.edu) could answer the key request.
Maybe hard-code the SHA256 checksum directly into the script instead?
Going through the keyservers does not seem to buy us much in terms of security and we certainly don't update the Dockerfiles very often, so it does not take too much time to verify those SHA256 checksums by hand when we do.
Using the gpg was a mistake on my end, it makes things more complicated and less reliable.
I don't have enough experience in this area to evaluate that. I suggest to accept the current patch (which is definitely an easy to understand improvement) and discuss your suggestion in a separate patch. One step at a time. ;-)
Sure, LGTM, did not want to block you.
If you're interested in further improvements, the idea is to:
- remove all references to gpg from the script.
- hard-code the SHA256 in the script and use it to validate the download, i.e.
echo "0e6ec35d4fa9bf79800118916b51928b6471d5725ff36f1d0de5ebb34dcd5406 cmake-3.7.2-Linux-x86_64.tar.gz" | \ sha256sum -c -