Piping arbitrary input into `apt-key add` seems unsafe - why not use a command that may only add a single key, and only AFTER fingerprint is verified?

Problem description

The documentation here https://docs.docker.com/install/linux/docker-ce/ubuntu/ / https://docs.docker.com/install/linux/docker-ee/ubuntu/ suggests the following command to add the docker key:

curl -fsSL "${DOCKER_EE_URL}/ubuntu/gpg" | sudo apt-key add -

However,

1. it seems somewhat unobvious that this may not do a DoS by adding 999 keys

2. when the next verification step fails, I am still stuck with a bad key

Isn't there a better targeted one that downloads and only adds after verifying it? Similar to the following one but a verifying alternative:

apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

(since while this has the long key id and therefore could possibly verify, it doesn't appear to be doing that in practice either:

    adv
           Pass advanced options to gpg. With adv --recv-key you can e.g. download key from
           keyservers directly into the the trusted set of keys. Note that there are no checks
           performed, so it is easy to completely undermine the apt-secure(8) infrastructure if
           used without care.

)

Problem location

• I saw a problem on the following URL: https://docs.docker.com/install/linux/docker-ee/ubuntu/

Suggestions for a fix

See above, it should be a command where the key fingerprint is checked before it is added system-wide.

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

/lifecycle locked