There's a good argument to be made for signing the update information using offline keys - it reduces the damage that could be caused by a compromised SSL key. That being said, they should've still used HTTPS to secure the transport layer, as it would prevent replay attacks (as @dchest mentioned) and make it harder to exploit vulnerabilities that could be caused by e.g. corrupted update information.