Just some hints about the signatures:
Public keys are installed in the Router from the factory so it can be securely verified from the working router really simple. This verification is native for openwrt packages and it is used to install and update Turris OS packages.
If you don’t have working Router, it is quite tricky to verify it because you need to compile the openwrt usign tool as @Pepe mention above. There is also a possibility to verify it with OpenBSD signify tool (which is available i.e in Debian repositories) . Public keys can be found in our repositories at gitlab for that case.
If you are worried about confidence of the files in the git, the commits are GPG-signed so you are able to verify it as well.
Switching it to native GPG is an option but this will need a lot of changes in the build and deploy process.
cheers 
UPDATE:
So this simple verification process works on debian-like (stretch at least?) distro:
sudo apt install signify-openbsd
curl -sO https://repo.turris.cz/omnia/medkit/omnia-medkit-latest.tar.gz
curl -sO https://repo.turris.cz/omnia/medkit/omnia-medkit-latest.tar.gz.sig
curl -sO https://gitlab.labs.nic.cz/turris/turris-os-packages/raw/test/cznic/cznic-repo-keys/files/test.pub
signify-openbsd -V -p test.pub -x omnia-medkit-latest.tar.gz.sig -m omnia-medkit-latest.tar.gz