In order to be effective, signatures have to come from a root of trust. Where are you forming a trust basis for a signature in the curl? The GPG sigs built into your package manager are signed by the packager and form a cascading tree of trust, and the TLS certifcate authority system is also supposed to form a foundation for trust. (Sigs are on the file, but where do you get the packager's first signature in this place? curl from https piped into sudo doesn't decrease the CA trust model and a sig on the file as well doesn't add anything, since the sig would be easily replaced by anyone with the wherewithal to mod the original file.
Instead, that sig would be security theater, much like an EV-TLS cert. (Not that security theater can't still be valuable from a marketing perspective from people who think that checking sigs on an https site is still valuable.)
While there can be security value in sigs, it doesn't come into play in these circumstances without starting from a position of a signed sig from somewhere, and ultimately the smart and paranoid will still curl to a file and actually read the script. Actually, ultimately, if you are in a security sensitive situation, you are probably not in the cloud at all, or on dedicated instances, and then you should avoid SaaS and cloud software altogether and look at an on-premise solution like Userify Express/AWS/Enterprise, as then you will have that crucial foundation of trust in your initial purchase and you can tightly control that environment.
