How does apt-get check the integrity of the downloaded files it receives?

I've been reading about why encryption is not normally deployed on the apt-get network activities. And learned that it checks the signature of the data that comes from the repo, right?

But now, how does this checking occurs? How is it done to be really safe? For example, if the file and the key are in the server and are sent in an unencrypted way, how would that work? Someone could modify both…

At the root of an apt respository there is a Release file, which contains hashes of the various Contents, Release, and Packages files. The Packages files in turn have hashes of the individual .deb package files. At the same location as the root Release file, there is a Release.gpg file, which contains a GPG digital signature of the Release file, made with a private key belonging to the repository maintainers, using public-key cryptography.

When apt-get downloads the Release file for a repository it will automatically attempt to verify the digital signature with the public keys on file on your system. If the public key from the key pair that the signature was made with is not registered on your system, you will be prompted to approve it; at this point you could contact the repository maintainers or a third party to verify that the public key is authentic by comparing fingerprints (or if you have a copy of the public key you already know is authentic, you can add it with apt-key before you run apt-get.) After that, any files that apt-get downloads from the repository will be checked against their checksums in the Release or Packages files.

The hashes in the Release and Packages files are a normal data integrity feature of apt. The addition of the GPG signature is part of what debian calls SecureApt (see that link for more details).