As it is written in the documentation CVD is a digitally signed container that includes signature databases in various text formats.

Manually we can verify digital signature using "sigtool --info". Correct me if I am wrong.

And second question: Does freshclam automatically verify the digital signature when updating the virus database?

Regards, Artem