The OS has MD5 checksums in the /pub/OpenBSD/<release>/<arch> folder. The best practice is to compare checksums from a different mirror than you download the filesets from. Note that this MD5 checksum does not include the X11 filesets.
Every port in the tree includes checksums. This is critical for picking up any unexpected changes in source files. For an example, see any /usr/ports/<category>/<port>/distinfo file, and for further information, see the ports(7) and bsd.port.mk(5) man pages.
For packages, the x* filesets, and the CVS tree, trust is required.
Note. This has been discussed many times over the years. A perusal of the misc@ archives should lead you to some heated discussion on the subject.