All sigs are currently verified at the caching service / indexer during import. We'll add client verification to reduce reduce trust in the near future.