Scenario : I recently came across this issue using lubuntu. When I tried upgrading using terminal "apt upgrade", I got an error like you are using http which is not secure, so the default action was done to skip the upgrade. Without taking it seriously or reading it properly, I upgraded it using the app "Software upgrade", which does it all with click of button. It upgraded successfully, but that was the last goodbye session. It had corrupted everything on the os, not sure if it was malware or something else.
Question : While installing a fresh linux, we get sha or md5 hashes to verify the authenticity of the iso's downloaded. But most of the upgrades are done through HTTP and how to verify those packages are same as the source, or is there any other way to prevent MITM from sending me a corrupt package?
You have made the assumption that your system was malware infected without evidence or describing the problem. While this is possible, be more certain by doing forensics and looking into root cause.
A trustworthy apt repo will include secure apt gpg signatures on its metadata. You can review the signatures to be sure they match what is published for lubuntu. apt has leaned on gpg to maintain integrity more than https, but you can use both.
Run
debsums_initthendebsums --changedto identify installed packages with changed checksums.The debsums manual acknowledges this has limited use in a security context, so also look into file modification detection or malware signature software.
If the host remains unrecoverable, reinstall from clean media, and restore data from backup.
One way to ensure that the package is the right one and you are not being attacked is to add its key with apt key. For more information Also you can try to avoid mitm attacks, which is kind of complex because of the great variety of ways that can be done. For example for arp spoofing one of the most common techniques you can create static lines in your arp tables.