I couldn't find much info on the security of Ubuntu (and Linux in general) update verification/security.
The connection appears to be plain ftp. but the packages are signed using a private key and the corresponding public key is stored in the system as a trusted key.
So what are the details? Is the package itself signed or just the hash? Is it an RSA 4096 bit key? What are the chances of a malicious entity being able to mess with the updates and who owns the private key?
Best Answer
A concept called Secure Apt is used to verify the integrity of packages from Apt package repositories. The key methods are:
Package maintainers generate and publish a list of checksums calculated by secure hash functions from their packages (binary and source).
They sign that list with their private GPG key.
Apt maintains a key ring with public GPG keys of verified package authors and maintainers.
Upon package download and installation, Apt verifies
For more info visit the Debian Wiki on Secure Apt.