You know what? This is perfect.<p>Some users are gonna go all "no", "this is bad", "no malware on HN" and "you must be crazy to do it yadda yadda" on you, but in the end it doesn't matter because you've done it: you've disrupted that little peace of mind they had about running "curl rvm.io/install | sh".<p>Now they know that piping a curl command to shell is akin to unprotected sex. Sure, I'd happily be the first to say "oh come on, we all know RVM, the guy doesn't have any diseases: he's all clean, there's no risk" and we'd all be happy to follow with some wishful thinking of "there's a one in a billion chance something bad happens, no way I'm that unlucky".<p>But just like russian roulette, one bad time is enough to get in a _LOT_ of trouble.<p>Sorry comrades, I'm done compromising my box's security on a daily basis. From now on, I'll GPG-check your install scripts before piping them blindly to my personal area :)<p>Even better: why don't we write a common install pattern for scripts?<p>Something simple like $ web-install <a href="http://your-site.com/" rel="nofollow">http://your-site.com/</a><p>* Attempts to download conf file from <a href="http://your-site.com/WEB_INSTALL" rel="nofollow">http://your-site.com/WEB_INSTALL</a><p>* Looks up install script and gpg file path in the conf file<p>* Downloads install script and gpg file to /tmp and gpg-check the install script.<p>* If it all checks out, run the install script.<p>Or maybe we already have something cool like this but some developers seem to think this commodities are for neckbeards who swim in gpg keys all day long?<p>PS: Using RVM as an example there because I only have them in mind but I did this for npm too in the past and countless others I can't remember, so no hate intended against them.