It makes no sense to hash a downloaded image for security, if later while running the installScript, I pull thousands of OMV files to a local drive without hasing them. Right?
Is there any possibility to download all of that what might get pulled? Say a big package and running the script locally then, w/o commands like apt-get or wget?
To me, the pulling process seems to be very weak. Too easy to inject "something" into the files while flying through the net.
Having downloaded everything in a package, it'd be easy to hash the whole once before installing. Just to be sure.
And as a benefit, I may install another pi in my private net in a year or so and know(!), that everything needed I already have in my archive.
Since 10 days I now own a Pi3+ and get to know Linux a bit. And I'm sure to move on with that stuff