I'm new to OpenWRT and noticed that the software downloads are using plain HTTP links as default.
While 'opkg update' seems to check signature ('Signature check passed.'), I did not found similar output for 'opkg install ip-full'.
Does this mean that some downloads are processed without signature check?
I also found instructions how to configure downloads via HTTPS, but I probably have to download unchecked files in the first place. Sounds like a catch-22 for me and I wonder how I can fix this without having to download packages without signature check?
your device does download the signed package list from openwrt servers over plain http and checks the signature of it against the keys in /etc/opkg/keys.
This package lists contains package names and a sha256 of the ipk package.
So if you install a package, it's fetched also over plain http and checked against the sha256 hash in the already verified package list.
And voala, your requested package install is verified to come from the official openwrt package repos.