The user-side upgrade process verifies that the firmware checksums match.
The actual cryptographic verification (i.e. "this firmware is official") is done by the Coldcard bootloader during the install process, since you should never trust the computer anyway.
But no pgp verification? Where do you get the "good" checksum to compare against?
Nm I'm an idiot and conflated checksum with hash. So no verification?
From Coinkite's official list of releases:
https://raw.githubusercontent.com/Coldcard/firmware/master/releases/signatures.txt
The PGP verification is done by the device itself.
