[3xblah]

"You can only be sure of what you're running if you download it first, examine it, then run what you downloaded."

What if, before "run what you downloaded", first perform a dry run and observe it while it is running.

   set -x
   curl https://example.com/setup.sh | bash -n
   set +x

-x Execution trace

-n Read commands but do not execute them

https://en.wikipedia.org/wiki/Dry_run_(testing)

[3xblah]

Correction: -n and -x are obviously mutually exclusive. Have to use -v instead.

   curl https://example.com/setup.sh | bash -vn

As for trying to hide commands from an execution trace, it is not possible to hide the set +x command.

   cat > 1.sh
   echo visible
   set +v
   set +x
   echo hidden >/dev/null
   ^D

   cat 1.sh | bash -x

Output:

  + echo visible
  visible
  + set +v
  + set +x

One can syntax check setup.sh before downloading it with -vn (or perhaps shellcheck). After downloading and reading it, one can observe it while it is running with -x.

The truth is that people download and run shell scripts without reading them all the time. For example, how many people installing software packaged with configure scripts actually read the scripts. (Except in the event they do not work.)

[throwaway2048]

a script can just set +x before doing anything else, and then fake output.

[jwilk]

No, this doesn't work.

[ktpsns]

Why not?