@mppf If our web server gets hacked it could serve different images to different people regardless of the verification/delivery mechanism. The attacker just has to change the SHA hash or PGP key or whatever else security theatre approach you use to "verify" the file with data coming from a web server anyway.
The script is just a bootstrap. The actual installer gets downloaded and unpacked to /tmp. Yes a malicious script could do something non persistent directly in the bootstrap. But a malicious download could also self-modify to erase the malicious part after it's done. This is a red herring.
That is: none of your arguments are arguments against curl|sh that don't also apply to everything else.
@marcan That's true but misses something important about security measures. They are about making it harder for somebody to do something bad, not to necessarily prevent it entirely. Having to change a SHA hash in a coordinated way is tricky for an attacker and significantly increases the difficulty.
Also, publish the SHA hash etc makes it much easier for people to compare notes and especially makes figuring out what happened easier in the context of incident response.