courgette is just a binary diff algorithm -- there's nothing fancy to it (they use some really neat tricks, though), and apparently (I haven't verified) the source is in the chromium tree.
To validate updates using asymmetric crypto you don't need to buy a special key at all. You can generate the keypair yourself... The only thing you need is some crypto lib to check a RSA or DSA signature on the downloaded data using a public key embedded in the software.
That's VeriSign for you. Thawed sells the very same certificates for $200, and Comodo runs a coupon deal for Tucows members that gets you the cert for $99 (though the actual process is a bit too contrived compared to Thawte's).
As stated above, courgette doesn't provide safer updates, just smaller ones. It's just a really smart executable binary diff. Signing the update is an orthogonal issue.
I was talking about downloading their update code from their repositories and setting it up. That's not easy and you can see the discussions about this on their forum.
you can either use Courgette or bsdiff or some other binary diff algorithm for compressing code updates, or punt and choose to fully replace all of your code every time you rev.
update verification is a < 100-line block of code using system cryptographic libraries on Windows.
for Chrome-style background updating, the solution is as simple as:
1) running a thread in the background to ping an API to check when updates are available,
2) downloading them via HTTP when they arrive,
and 3) having a program which gets run at update-required-exit, which verifies and applies the patch to your main executable.
yes, writing update machinery for your software is some work. no, it's not insurmountable, and will certainly get easier as the Mac App Store and Windows Store gain traction because they allow you to piggyback on the update machinery of the platform.
