Comment by gruez

>This is also why update signatures should be validated against a different server; it would require hackers to control bother servers to go undetected

No, it should be a hardcoded key held by the developer, preferably using a HSM, and maybe with some sort of notification capability in case the key was lost. Adding a second server adds marginal security. For instance if the developer's mail was hacked, an attacker would likely be able to reset passwords for both hosting providers.