Security model for new auto update feature in GUI v0.16.0.2 'Nitrogen Nebula'

The security features were listed in the initial announcement post of the auto-updater:

We added the following security features:

• 3 out of 4 DNS server must indicate a new update is available.
• The hash of the downloaded binary must be the same as here: > https://web.getmonero.org/downloads/hashes.txt
• hashes.txt must be signed by a maintainer.
• An extra valid signature by a second maintainer is also required.
• The GPG keys of the maintainers are hardcoded and can’t be changed by an attacker.

Only if all those points are successful the GUI will download the new update.

This means in the future once a user has downloaded the GUI safely they can always update in app and don’t have to worry about hashes and GPG signatures.

Note that the points above only apply the the update tool inside the GUI and those who manually download still have to verify hashes and signatures.

Source: https://www.reddit.com/r/Monero/comments/h139vq/new_gui_updater_in_v016/

How does it compare to downloading the them and manually verifying the hash as GPG key as was required for previous versions?

Verifying the hashes manually essentially entails the following:

• Import and verify GPG key (fingerprint) of the maintainer that signs the hashes (binaryFate currently).
• Check whether an update is available.
• Download and save the hashes.txt file.
• Verify the hashes.txt file against the GPG key of the maintainer.
• Check whether SHA256 hash matches the hash displayed in the hashes.txt file.

Basically the only difference is that, for the auto-updater, a second signature from another maintainer is required.