What's the point of signature verification if you get the signature and the binary from the same server? I appreciate the lack of pretenses of `curl | sudo bash`.
Well, an attacker would need to first steal the private keys before they could generate the forged signatures.
So, while you could still change the public keys in the instructions and trick first-comers to install a back-doored archive, you'd still be caught in a heartbeat by everyone else who already trusted the legitimate keys (which are published via a keyserver.)
The chances and rewards of a successful, long-lasting attack are pretty slim, especially compared to those against other curl-bang installers (brew, oh-my-zsh...)
