[pilif]

The packages themselves are signed: Mount the .dmg file and use pkgutil --check-signature /path/to/Installer.pkg to check whether the package is signed by a valid CA (if you want to be totally sure, do this check on a machine running 10.8 or earlier)

[isomorphic]

FWIW, I did this for the combo update. The SHA1 checksum on the Apple page, c06a63982b522e43997a05cedc04b0bdb1a10207, matches the file, and pkgutil reports

   Package "OSXUpdCombo10.9.2.pkg":

   Status: signed Apple Software

   Certificate Chain:
    1. Software Update
       SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD
       -----------------------------------------------------------------------------

    2. Apple Software Update Certification Authority
       SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF
       -----------------------------------------------------------------------------

    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60