It's ensuring you'll get the exact script they provided and run that to install on your system. It will install something with really high privilege, so if you trust them enough to install that, surely you trust them enough to run their install script.
If you can't trust their install script, I'd say you should probably trust them even less with running something in-kernel so none of this is an actual issue.
> It's ensuring you'll get the exact script they provided and run that to install on your system.
Cryptographic signatures can prove that. Curl bash'ing really doesn't.
The very few software I install that aren't shipped with Debian (and hence signed and, for the most, also bit-for-bit reproducible btw), I do verify their signature (when they're signed).
For that one program I really need that thinks bash curl'ing is somehow as secure as Debian signed (and reproducible) packages (it really isn't) or offers as much guaranteed as a signed software "because https" (it really doesn't), what I do is download the binary myself, take its cryptographic hash, and store that cryptographic hash for later use.
So, at least, if I need to reinstall it I know I'm reinstalling the exact same binary I curl bash'ed last time.
Curl bash'ing is really a pathetic way to ship software.
Assuming you have a fully trusted and bootstrapped side channel to get the public key from. And assuming that the compromise that resulted in this maliciously published binary also didn't compromise the private key.
It's ensuring you'll get the exact script they provided and run that to install on your system. It will install something with really high privilege, so if you trust them enough to install that, surely you trust them enough to run their install script.
If you can't trust their install script, I'd say you should probably trust them even less with running something in-kernel so none of this is an actual issue.