clojure-tools artifacts are published unauthenticated, which is a security risk, especially for the linux install.
One simple approach would be to output a checksum file and sign the checksum file. I recommend not signing with openssl or pgp, and deferring to a simple tool like signify.
I agree. It would be especially useful to publish it on https://clojure.org/guides/getting_started
The tarball that's downloaded as the base for the script also does not authenticate its source.