Really? If Chrome's had updates pushed to it recently, how do I know that my browser itself, as installed on my filesystem, isn't now innately subverted by the Iranian government? (Note the domain in question in this particular case.)
I don't know about Chrome's update process, but they can simply have their own verification without root certificates (i.e. just like what most Mac software with Sparkle updater do: keep a public key inside the app, and verify the signature of updates).
The auto-update process should be far more secure than SSL certificates. They'll have keys in the current Chrome which it'll use to check any updates are legitimate before they get unpacked/installed.
