There are existing methods to avoid this hassle, for example, to have the server provide both script.sh and script.sh.asc (ex. gpg --verify script.asc) or checksums.txt (ex. sha256sum --check checksums.txt).

Package managers (with mirror-able index database) have similar functionality built-in.