I have looked through the documentation and the source code, and there doesn’t seem to be a way to download the clamav database in a secure way (i.e. with https), is that the case?

Furthermore, I don’t see any mechanism by which the clamav database is verified against a known trusted key/authority. The sigtool utility verifies that the database file has file integrity, but I don’t see any mechanism that prevents someone from injecting a totally different, internally self-consistent, database file, and for my client to trust it as a legitimate list of signatures. That is, the downloaded code does not contain a trusted gpg key, nor does there appear to be any calls out to trusted gpg/ssl certificates on my machine.

By this I do not mean is the source code signed (i.e. http://lists.clamav.net/pipermail/clamav-users/2018-January/005786.html), this is specifically about the .cvd files.

In short, is there any way I can setup clamav/freshclam and be confident that a malicious user isn’t adding/removing signatures from the upstream mirrors?