Does it verify the firmware?
A new version of the Coldcard CLI and Rust lib has been published.
Use Bitcoin responsibly, do not use centralized services and custodians.
https://github.com/alfred-hodler/rust-coldcard
#rust #bitcoin 
Discussion
The user-side upgrade process verifies that the firmware checksums match.
The actual cryptographic verification (i.e. "this firmware is official") is done by the Coldcard bootloader during the install process, since you should never trust the computer anyway.
But no pgp verification? Where do you get the "good" checksum to compare against?
Nm I'm an idiot and conflated checksum with hash. So no verification?
From Coinkite's official list of releases:
https://raw.githubusercontent.com/Coldcard/firmware/master/releases/signatures.txt
The PGP verification is done by the device itself.