I wonder if domain validation might be a good addition to this? You could encode a public key in a TXT record for the domain, and if present, vet could check a signature in the shell script against the key in the TXT record. It wouldn't stop attacks where the owner lost control of the DNS records, but it would stop the "webserver hijack" attack vector.

That's what they do in DKIM signing of emails. But if you want to go that route, there are easier solutions. For example, Github and Gitlab expose your SSH keys at a specific URL. You could use those (for ssh signing) if you trust the account. Another even easier method is to use something like cosign (sigstore) if you trust a PKI. Or you could use WebFinger to advertise signify keys or Web Key Directory (WKD) to expose OpenPGP keys, etc.

TLSA records exist, but are for the entire server rather than a single binary or script.