[slrz]

The SHA-2 checksums to verify packages against are delivered as part of the (signed) package index (as the article alludes to).

[pkgsupplysec]

And those package repo sha256 checksums are signed and verified with ed25519 by usign and ucert (with a key built into the firmware)

usign: https://git.openwrt.org/project/usign.git

ucert: https://git.openwrt.org/project/ucert.git

Firmware releases are also signed with GPG: https://openwrt.org/docs/guide-user/security/release_signatu...

openwrt/openwrt: https://github.com/openwrt/openwrt

openwrt/packages: https://github.com/openwrt/packages

openwrt/openwrt/search?q="usign" https://github.com/openwrt/openwrt/search?q=usign