You can also pull via the sha rather than the tag, which gives you significant extra assurance.
docker pull docker/binfmt@sha256:5a9ad88945dff7dc1af2ef7c351fe3dd9f7c874eb2c912c202ced088d21c178a
Once you've confirmed you're happy with the script, I don't believe there is any issue with automating this.
docker run --rm --privileged docker/binfmt:@sha256:5a9ad88945dff7dc1af2ef7c351fe3dd9f7c874eb2c912c202ced088d21c178a
In theory, the underlying container cannot be changed, which is what most of the issues with piping curl into bash is.
You can also pull via the sha rather than the tag, which gives you significant extra assurance.
docker pull docker/binfmt@sha256:5a9ad88945dff7dc1af2ef7c351fe3dd9f7c874eb2c912c202ced088d21c178a
Once you've confirmed you're happy with the script, I don't believe there is any issue with automating this.
docker run --rm --privileged docker/binfmt:@sha256:5a9ad88945dff7dc1af2ef7c351fe3dd9f7c874eb2c912c202ced088d21c178a
In theory, the underlying container cannot be changed, which is what most of the issues with piping curl into bash is.