So the update request is received by my computer over the internet from another computer, "would you like to accept and download this update?"
No - YOUR computer goes to a pre-defined, unique address on the internet and looks for updates. If it finds them, it asks you if you want it to download the update. That's a pull model.
If I accept, my computer knows the source is legitimate because it compares a digital signature (bunch of numbers, or maybe raw 1's and 0's).
Everything in computers breaks down to raw 1's and 0's, but I gave you a wrong number earlier. I said it was a 128 bit signature and its not, its a 128 BYTE signature, which is 1024 bits, which is 1.797693134862315907729305190789e+308 possible combinations.
How did my computer get that signature?
The server which lives at the predetermined address that your computer went to provided the signature, and the server that lives at another predetermined addressed compared and verified that signature with its records. Its kind of like the difference between you calling your credit card company on the 800 # on your card and talking to them about your account, as opposed to taking an incoming call on your phone and then talking about your account. In the first case, you KNOW you got your card company. In the second, it could be me pretending to be your card company.
Some other computer put it there either over the internet or when it was manufactured.
It came with the file when your computer went and got it.
So we are relying on no interference with that event, and that no one was able to hack into my computer and alter the signatures?
Again, you're misunderstanding the model at work here - the updates are not pushed to your computer, your computer goes and looks for new updates. That makes the source highly trustworthy to begin with, and the key verification is also done by your pc going out and checking with another trusted source.
