[tyho]

All signed, with the signature keys delivered over HTTP, just as the site states.

[detaro]

https://software.opensuse.org/ offers the GPG fingerprint over HTTPS. A bit curious that they don't enforce HTTPS for this page, but it is there.

And the key has been the same for years, so there are quite a few independent sources quoting it, which helps to verify it.

[rbrownsuse]

the site states that openSUSE does not sign it's checksums or provide instructions on how to verify them

Both claims are demonstrably false.