$ curl -sI https://google.com | sed -n '/content-length/l'
content-length: 220\r$
HTTP headers are delimited with CRLF, while the Unix line delimiter is LF.
Also using unsanitised data in arithmetic expressions in bash and other Korn-like shells is a command injection vulnerability, all the more a problem here that you used the -k aka --insecure option allowing MitM attackers to inject arbitrary headers in responses.
On a GNU system, you can use:
local_size=$(stat -Lc %s -- "$dest/$file") || die
remote_size=$(curl -sI -- "$url" | LC_ALL=C grep -Piom1 '^content-length:\s*\K\d+') ||
die "No content-length"
case $((local_size - remote_size)) in
(0) echo same;;
(-*) echo remote bigger;;
(*) echo local bigger;;
esac
By only returning what \d+ matches in the C locale, we make sure remote_size only contains decimal ASCII digits, removing the ACE vulnerability.
die above could be:
die() {
[ "$#" -eq 0 ] || printf>&2 '%s\n' "$@"
exit 1
}
(adapt to whatever logging mechanism you want to use).