It seems there is an encrypted file hash in the header of the pup but the pkgs themselves will have encryption as well. The key(s) used to encrypt are probably changed every so often too to further avoid tampering just like other systems (PS3, PSP, etc.) have had done. They are always privately signed.