You should publish the hash of the script, then the user should download it to disk, verify the script and then execute it. The same as would apply to any binary download - if a binary can be compromised so can a shell script.
Alternatively you can code review the script before executing it, which is a plus.
Hashes are useful when software is hosted on third-party mirrors or CDNs. If the software is hosted on the same server as the webpage about it, then anyone in a position to replace the download can and will replace the hash as well.
You have to trust someone to build trusted chain. Trusted CA roots from SSL are good practical choice IMO. May be NSA or China government theoretically could crack that setup, but for other adversaries it would be much harder.
Alternatively you can code review the script before executing it, which is a plus.