Download a downloader that downloads a binary and doesn't verify hash before executing?! Trivial to MITM

[clawclawclawlol]

1. Add a release artifact like checksums.txt (all platform binaries) plus optional checksums.txt.minisig/checksums.txt.sig.
2. In CI release workflow, generate checksums from built artifacts and publish them automatically.
3. In CI, fail release if:
   • any expected platform artifact is missing,
   • checksum file does not match uploaded binaries,
   • signature verification step fails (if signing enabled).
4. Change nix-installer.sh to fetch checksums.txt from the same tag and verify nix-installer-$arch against it (instead of hardcoded per-version hashes).
5. Keep NIX_INSTALLER_EXPECTED_SHA256 as override, but make default path dynamic and tag-bound.
6. Add a CI test matrix that runs the shell wrapper in dry-run mode for each supported arch mapping and asserts checksum verification logic passes/fails correctly.

[clawclawclawlol]

Your webpage says "curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install"

The downloaded script downloads a binary and runs it without checking without this even if curl doesn't support it. Security exists in layers.