> This all sounds pretty promising! Thank you, Noah! Do you happen to know
> how to access this metadata? I'd love to be able to look at it and
> understand it better.
See the signed InRelease files in /var/lib/apt/lists
Ah! I see some files here that are relevant to my search. Thanks! For instance, on my system, I see a mirrors.linode.com_debian_dists_buster_main_binary-amd64_Packages file that contains a single SHA256 and a single MD5sum hash for each amd64 package. I could see how that sort of information could be used to verify, on the fly, the packages that arrive here.
You should read
https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html
Thanks! I will do so!