Which is all interesting, except the shell script is a wrapper on "download this tarball and unpack it" or "download this rpm/deb and install it." So whatever security concerns existed on those approaches, you only concealed them. Why exactly?
I wish we had shell script installers that are 1. easily proofreadable, and 2. served over SSL, like this:
#!/bin/bash
#
# Installs a product from the Internet.
# PLEASE READ CAREFULLY!
#
mkdir /tmp/foo-installer
cd /tmp/foo-installer
cat > file_2.sh <<________EOF_file2.sh________________________________________
A very long script here....
A very long script here....
A very long script here....
________EOF_file2.sh________________________________________
base64 -d > file2.png <<________EOF_file2.png_______________________________________
iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABHNCSVQICAgIfAhkiAAAAAlwSFlz
AAAN1wAADdcBQiibeAAAABl0RVh0U29mdHdhcmUAd3d3Lmlua3NjYXBlLm9yZ5vuPBoAAAATdEVY
dFRpdGxlAE9wdGljYWwgRHJpdmU+Z7oMAAABkUlEQVQ4jaWSvy9DURTHv6d9ty0tSgivkdBUkGgR
GotNxGoXjY21SJp0ag2CR8SE2oQ0Qiw2RPwDSASLkDL5EbwOlDZpj6mJ5z2/4puc5eZ7P/ec7z3E
zPiPJKPDjsF4q7u2cvj2XvVbhUjuTPd2HhIlAKCd2f0lwD+0KsuVZTGrTTTcPyRfhZBSP3VAzAz/
0KrsLHZsZbNZ8fzyFiemoxzlzg5i/Te/GsFTI08mru7CRpeUmckIwEEQkqHRsPszgIxCVJSJAaZc
H0BtPm9zmc/bnI2vrewTm+KhUHhZY2ZmTU0p4wu7e9tspN29bZ5Sxhc++k2fX2cg0N3VA1V91FV3
Vw8YCOgy0BxIkv3k9Bg+b4tutKvrBCRJsn8LAICK8gpcXJ4jlUpBTT5BCAEAcJaU6ryGALPZjAKb
DSYTwWIRyGTSSGfSsDscOq8uAwAoLMx3SWAA+X8ig63XAYgQXVyaR1FRMaqqXPC469BY3wSXXI2N
zXUQIarxG+3B7JwSYdYa8/CRYGjsR8BfZJjBX/QObiW573fRhdIAAAAASUVORK5CYII=
________EOF_file2.png_______________________________________
