diff --git a/hack/install.sh b/hack/install.sh
index 53876d8a04..92d48c903a 100755
--- a/hack/install.sh
+++ b/hack/install.sh
@@ -23,7 +23,10 @@ set -e
 #     s3cmd put --acl-public -P hack/install.sh s3://get.docker.com/index
 #
 
-url='https://get.docker.com/'
+url="https://get.docker.com/"
+apt_url="https://apt.dockerproject.org"
+yum_url="https://yum.dockerproject.org"
+gpg_fingerprint="58118E89F3A912897C070ADBF76221572C52609D"
 
 command_exists() {
 	command -v "$@" > /dev/null 2>&1
@@ -161,11 +164,13 @@ do_install() {
 	fi
 
 	# check to see which repo they are trying to install from
-	repo='main'
-	if [ "https://test.docker.com/" = "$url" ]; then
-		repo='testing'
-	elif [ "https://experimental.docker.com/" = "$url" ]; then
-		repo='experimental'
+	if [ -z "$repo" ]; then
+		repo='main'
+		if [ "https://test.docker.com/" = "$url" ]; then
+			repo='testing'
+		elif [ "https://experimental.docker.com/" = "$url" ]; then
+			repo='experimental'
+		fi
 	fi
 
 	# perform some very rudimentary platform detection
@@ -370,9 +375,9 @@ do_install() {
 			fi
 			(
 			set -x
-			$sh_c "apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D"
+			$sh_c "apt-key adv --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys ${gpg_fingerprint}"
 			$sh_c "mkdir -p /etc/apt/sources.list.d"
-			$sh_c "echo deb [arch=$(dpkg --print-architecture)] https://apt.dockerproject.org/repo ${lsb_dist}-${dist_version} ${repo} > /etc/apt/sources.list.d/docker.list"
+			$sh_c "echo deb [arch=$(dpkg --print-architecture)] ${apt_url}/repo ${lsb_dist}-${dist_version} ${repo} > /etc/apt/sources.list.d/docker.list"
 			$sh_c 'sleep 3; apt-get update; apt-get install -y -q docker-engine'
 			)
 			echo_docker_as_nonroot
@@ -383,10 +388,10 @@ do_install() {
 			$sh_c "cat >/etc/yum.repos.d/docker-${repo}.repo" <<-EOF
 			[docker-${repo}-repo]
 			name=Docker ${repo} Repository
-			baseurl=https://yum.dockerproject.org/repo/${repo}/${lsb_dist}/${dist_version}
+			baseurl=${yum_url}/repo/${repo}/${lsb_dist}/${dist_version}
 			enabled=1
 			gpgcheck=1
-			gpgkey=https://yum.dockerproject.org/gpg
+			gpgkey=${yum_url}/gpg
 			EOF
 			if [ "$lsb_dist" = "fedora" ] && [ "$dist_version" -ge "22" ]; then
 				(
diff --git a/hack/make/install-script b/hack/make/install-script
new file mode 100644
index 0000000000..feadac2f38
--- /dev/null
+++ b/hack/make/install-script
@@ -0,0 +1,63 @@
+#!/bin/bash
+set -e
+
+# This script modifies the install.sh script for domains and keys other than
+# those used by the primary opensource releases.
+#
+# You can provide `url`, `yum_url`, `apt_url` and optionally `gpg_fingerprint`
+# or `GPG_KEYID` as environment variables, or the defaults for open source are used.
+#
+# The lower-case variables are substituted into install.sh.
+#
+# gpg_fingerprint and GPG_KEYID are optional, defaulting to the opensource release
+# key ("releasedocker"). Other GPG_KEYIDs will require you to mount a volume with
+# the correct contents to /root/.gnupg.
+#
+# It outputs the modified `install.sh` file to $DOCKER_RELEASE_DIR (default: $DEST)
+#
+# Example usage:
+#
+# docker run \
+# --rm \
+# --privileged \
+# -e "GPG_KEYID=deadbeef" \
+# -e "GNUPGHOME=/root/.gnupg" \
+# -v $HOME/.gnupg:/root/.gnupg \
+# -v $(pwd):/go/src/github.com/docker/docker/bundles \
+# "$IMAGE_DOCKER" \
+# hack/make.sh install-script
+
+: ${DOCKER_RELEASE_DIR:=$DEST}
+: ${GPG_KEYID:=releasedocker}
+
+DEFAULT_URL="https://get.docker.com/"
+DEFAULT_APT_URL="https://apt.dockerproject.org"
+DEFAULT_YUM_URL="https://yum.dockerproject.org"
+DEFAULT_GPG_FINGERPRINT="58118E89F3A912897C070ADBF76221572C52609D"
+
+: ${url:=$DEFAULT_URL}
+: ${apt_url:=$DEFAULT_APT_URL}
+: ${yum_url:=$DEFAULT_YUM_URL}
+if [[ "$GPG_KEYID" == "releasedocker" ]] ; then
+	: ${gpg_fingerprint:=$DEFAULT_GPG_FINGERPRINT}
+fi
+
+DEST_FILE="$DOCKER_RELEASE_DIR/install.sh"
+
+bundle_install_script() {
+	mkdir -p "$DOCKER_RELEASE_DIR"
+
+	if [[ -z "$gpg_fingerprint" ]] ; then
+		# NOTE: if no key matching key is in /root/.gnupg, this will fail
+		gpg_fingerprint=$(gpg --with-fingerprint -k "$GPG_KEYID" | grep "Key fingerprint" | awk -F "=" '{print $2};' | tr -d ' ')
+	fi
+
+	cp hack/install.sh "$DEST_FILE"
+	sed -i.bak 's#^url=".*"$#url="'"$url"'"#' "$DEST_FILE"
+	sed -i.bak 's#^apt_url=".*"$#apt_url="'"$apt_url"'"#' "$DEST_FILE"
+	sed -i.bak 's#^yum_url=".*"$#yum_url="'"$yum_url"'"#' "$DEST_FILE"
+	sed -i.bak 's#^gpg_fingerprint=".*"$#gpg_fingerprint="'"$gpg_fingerprint"'"#' "$DEST_FILE"
+	rm "${DEST_FILE}.bak"
+}
+
+bundle_install_script
diff --git a/hack/release.sh b/hack/release.sh
index d231c167af..7d9bacec89 100755
--- a/hack/release.sh
+++ b/hack/release.sh
@@ -289,7 +289,8 @@ EOF
 # Upload the index script
 release_index() {
 	echo "Releasing index"
-	sed "s,url='https://get.docker.com/',url='$(s3_url)/'," hack/install.sh | write_to_s3 "s3://$BUCKET_PATH/index"
+	url="$(s3_url)" hack/make.sh install-script
+	write_to_s3 "s3://$BUCKET_PATH/index" < "bundles/$VERSION/install-script/install.sh"
 }
 
 release_test() {