Comment by dist-epoch

> And I do religiously verify that the "file inside the script" does have a valid signature when it has one.

If you want to go down this route, there is no need to reinvent the wheel. You can add custom repositories to apt/..., you only need to do this once and verify the repo key, and then you get this automatic verification and installation infrastructure. Of course, not every project has one.