Packages seem to be downloaded over http from the Ubuntu main repository, so I was wondering whether the client's OS verifies the packages once downloaded?
If so please could someone outline the different steps in this process? Would be much obliged if you could use apt-get flac as an example!
When exploring - http://archive.ubuntu.com/ubuntu/pool/main/f/flac/- I can see that there is a DSC file for each version of the package. Within this are the hashes of the XZ archives for the release, which is then in turn signed by one of the maintainers.
