[bombcar]

I've seen scripts (self-extracting archives for Linux, for example) that checksum themselves either by some trickery, or just ignoring the first line after the shebang (which itself is the computed checksum of the rest of the file).

[Scaevolus]

Incorporating an MD5 quine into a shellscript would be funny.

[seeknotfind]

And a sha256 quine would be terrifying. :)

[kazinator]

The problem is, the wrong party is doing the check (from a security point of view, not integrity).

When we download a script from a remote domain we don't trust, we have to validate its checksum against the known one; we can't leave that to the script, which we don't trust.

[joshspankit]

In this case we’re specifically talking about the possibility of a truncated script from a trusted source

[kevincox]

99% of the time you are downloading from a domain that you do trust. This check is to detect corruption, not malice.

But yes, if you were downloading from an untrusted mirror you would want to check the signature or trusted hash before running the script at all.

[cassianoleal]

That can be useful against download corruption but wouldn't do much against an actual attack (in this case, the attacker can just update the checksum).