Imagine an installer script that runs a buildscript and then cleans up after itself. So somewhere in the depth of it there is the command rm /home/gonzales/.build/foo, but the network connection cut's out just after /home/gonzales so the last thing that the interpreter sees is rm /home/gonzales and well ... there you go.
Stranger things have happened.
Then there's https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...
Unless you got the PGP key from the same file server, which is typical.
It's not hard to DTRT though. Eg Docker install instructions have
4. Add the new GPG key.
$ sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
* It will not overwrite any files that are owned by another package.
* If/When you update it later and the programme has changed the config files, apt can tell you if you've changed the config files on your machine and offer you a diff, or what to do.
* It can be easily uninstalled later
* You can download the dpkg file(s) and store them locally, and give them to a friend later/install on your own server later, knowing that you are installing the same files as you installed on your desktop/testing system.
* If there is a network problem while downloading the deb, so what? Nothing bad happens. The software won't be installed, But there's no risk of your home directory being deleted.
* Installation is more atomic. Either the package will be installed properly or not at all.
If an executable is not signed, I don't see any difference, if you are not going to inspect script before you run it. You either trust a website or not.
So I doubt signature checking is ever done in practice, at least on systems where curl|bash is an alternative.
You could still sign the .sh installer with GPG, but then you'd have to get the public key from somewhere (and get people to care about verifying the sig first). If you're communicating a key somewhere, you might as well just publish the hash sum and communicate that.
I don't know for "curl | bash", but using an URL shortener there doesn't seem like a good idea.