I would assume it does not do those things, or else creating/flashing custom firmware like DD-WRT would presumably be impossible. They could be doing some verification in the firmware itself, but obviously that only saves you from bad downloads - anybody serving you up a malicious firmware can easily just serve one up without the verification checks inside.
Their firmwares for newer devices do indeed include signature support. A malicious firmware on their server will fail the signature check and not be flashed. Signature checks occur only in the flasher, not in the bootloader, but that would require physical access to the device, at which point all bets are off anyways.
