This is incorrect. If the update you download is compromised then the signature is invalid and the update fails.
To achieve a compromised update you either need to compromise the update infrastructure AND the key or the infratstructure AND exploit the local updater to accept the invalid or forged signature.
axx@slrpnk.net 18 hours ago
Please tell me you are not seriously equating a highly sophisticated attack line the Solarwind compromise with piping curl to bash?