I mentioned this elsewhere, but signing can tell you whether it's an authentic object, but usually not whether it's THE authentic object you had requested. So you then need something extra to validate that what you got is what you wanted, for example check the version number in the signed image. But how do you know what version number you should be looking for without HTTPS?
In this case the article points out that the metadata itself is downloaded over HTTP.
Recreate a package every day, week or month and update package date to current time. A device will refuse to install an update that is older than factory specified interval. Of course the problem then is that your device now needs to have secure channel to NTP servers. Possibly they could use radio synchronization instead - same as used in radio controlled watches. It could be exploited, but it would be much harder to do remotely by network.
It needs a bit of gymnastics, but it may still be easier on the long run than HTTPS. Your mileage can vary.
Edit: Dear downvoter: Was I overly dumb or inaccurate with my proposition?
In this case the article points out that the metadata itself is downloaded over HTTP.