The term curlpipe comes from using the program curl to download a file and immediately executing the file via a pipe in the command line (this is bad and you should feel bad for doing this)
Regardless of the obvious security concerns, many projects feel the need to tell users to execute arbitrary scripts transmitted over plaintext. Is there a workarround for these people? I believe there is now: just pipe it through gpg.
But wait, that won't actually work.
Consider the following:
curl $url | gpg | bash
This command SHOULD fail if the signature is invalid but it doesn't.
curl http://i2p.rocks/files/gpg-test.sh.asc | gpg | bash % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 293 100 293 0 0 7274 0 --:--:-- --:--:-- --:--:-- 7325 it works backdoor gpg: Signature made Sat 22 Oct 2016 08:18:57 AM EDT using …