Closed
Description
After the #16123, a second step should be to sign all files needed for the installation. Each Rust versions are signed in the git repository. Great! If the "rustup.sh" is included in the git repository, it will be possible to anyone to verify the script (from a git tag) before executing it.
Maybe all (including nightly) underlying binaries hashes should "inherit" from the signature like with the "snapshots.txt" hashes? The main Rust repository or a dedicated one could aggregate all hashes.
So, the guide could be improved by replacing the "curl" instruction with a "git clone + verify-tag". This add some extra MB to the download but worth it for more security to users who care.