hidden services spoof

[Arrakistor]

I  am  writing  an  updater  for  tor to automatically grab the latest
version.  One  problem  I am coming across is where to host it so they
cannot  be  spoofed.  I  was  thinking  of putting it at a server in a
.onion  address.  How easily can a node in the tor network be spoofed?
Is  there  a  better  solution  than  hosting the tor updates inside a
.onion server?

Regards,
 Arrakistor