Apple authenticates itself to users using a PGP key and updates it every two years. I’ve probably written about this before, but the quick version is that authentication security is based on asymmetric keys. In other words, pairs of keys are used, one public and one private. Apple holds onto the private one not telling it to anyone. The public one is listed here. The key (pun unintended) of this is that something encrypted one key can be unencrypted by the other.
By encrypting a message (or some version thereof, like a hashed version) using the private key, we can check that Apple sent the message by decrypting with the public key. If the two match up, Apple wrote it. No one but Apple knows the private key, therefore if the public key decrypts it, Apple must have written it.
Now, given enough time, brute force methods could discover the private key (how long is up to theorists to decide). Therefore, Apple spawns a new key pair every two years, effectively removing that threat. Apple puts the new public key on its website (which we have an expectation that it isn’t hacked) and sends it out in email, authenticating it with the old key (making that the final use). Now you can verify those security mailing list messages from Apple and know why it works. Don’t you feel better?
The key of this is that something encrypted one key.
Further proof that whenever says "pun unintended" (or, more commonly, "not intended"), it most certainly is.