It solves initial installation too if you trust particular roots.
There is a reason windows/android/Linux distros/iOS do signed software.
This problem was known about and was solved 20+ years ago with signed updates. “curl | sh” is back in vogue because people don’t understand the problem and think https means secure.
That is what I mean about it only being better in the limited scenario where you are getting the package from an already-trusted central repo. But that is surely not the case in this particular situation for example.
There is a reason windows/android/Linux distros/iOS do signed software.
This problem was known about and was solved 20+ years ago with signed updates. “curl | sh” is back in vogue because people don’t understand the problem and think https means secure.