The user-side upgrade process verifies that the firmware checksums match. The actual cryptographic verification (i.e. "this firmware is official") is done by the Coldcard bootloader during the install process, since you should never trust the computer anyway.
But no pgp verification? Where do you get the "good" checksum to compare against?
From Coinkite's official list of releases: https://raw.githubusercontent.com/Coldcard/firmware/master/releases/signatures.txt The PGP verification is done by the device itself.