Finally, for widespread deployment, you need to use HTTPS for download, with both client and server certificates, and verify some kind of signature for each update downloaded. You also want to make sure that you don't download a new version unless the currently installed version is out of date.
I think you could even do without HTTPS using server certificates, and possibly safer, too (though HTTPS is surely the easiest, most straightforward solution with readily available libraries).
Server certificates are not "safe" or even "trusted". They're something you get signed from a company that takes money so you have the feeling that you should trust them. If that company's private key is compromised (DigiNotar, anyone?) anyone could pretend being your server.
Instead, you could trivially sign (or "sign" by encrypting) your update file using an arbitrary private key (which except while signing you keep on an USB stick around your neck, if you wish), and hardcode the public key into the client. Then download updates via a normal unsecured connection from your server. HTTP, rsync, torrent, FTP, or even a raw socket, or SMB if you want (though I would definitively not want to put SMB on the internet...).
You could probably abuse good old curve25519 for a really really barebones "encrypt signing" by encrypting the install file with a block cipher, then doing a half DH with the symmetric encryption key when packaging the update, and doing the other half DH on the client later (of course one could use the "ed" version instead of this crutch (which does actual signing), but I've never worked with that one, so I couldn't tell much about it).
Anyone knowing the public key (so, anyone having the game client) will be able to do the 2nd half and thus derive the symmetric key used to encrypt the update. There is no big secrecy in that system, but you don't need/want that. It doesn't matter if the NSA reads the contents of your game update.
Someone not knowing your private key can of course do the first half of the DH too, but they can't do it so the derived key deciphers the update to something meaningful (or something that matches a checksum that you'd embed at the end of the encrypted stream, for that matter).
Yes, anyone could hack your server or could tamper DNS to redirect users to their own server to download their (malicious) updates instead. But none of these will decipher (or give a valid signature) using the public key hardcoded into the client -- so, who cares. The worst thing to happen is that users download updates that will fail to install with an error message. That's admittedly annoying, but there's not much you can do against it.
If someone successfully tampers your DNS server, you already have lost. Next you would need to protect against someone digging up the ground and pulling out the cable. There's things you just can't protect against.
Of course, if you pull an Opera and have your code signing certificate stolen, you're in big trouble... but there's hardly a way to be 100% safe against such a thing from happening, you can only avoid the most stupid mistakes (such as storing it on a computer with internet connection, or even a server).
But as long as a key exists, someone can in principle steal it, if nothing else, then by breaking and entering, and putting a gun to your head. It's doubtful whether your game is worth such a risk, though.