I've been looking at how WP works here and concluded this is basically not documented at all (from a developers perspective). On the WP IRC nobody seems to know anything about it, and my looking through the code itself has gotten me few insights into how updates and installation is secured. If anyone know more about this (esp what's up with the WP deployment repository), please contact me, this would be of great help for my GSoC project.
Would it not be enough to hash all extensions on the distributor side, and to check the hash sum on the client side using https for the connection?
Respectfully,
Ryan Lane