This is not Docker-specific. Most Linux package managers have the ability to validate the integrity of a software package before installation by verifying its PGP (GPG) key. The best practice would be for the maintainer of the package to sign each package and make the public key available, but not everyone does so.

Most modern Linux distributions come with a set of PGP keys installed for the default repositories for that distribution. As Docker updates its packages at different frequencies than the distributions, it has chosen to run its own package repositories for major distributions. When you’re configuring your system to install packages from one of those repositories, you have to add the public key so you can validate the image.