As we all know - the Arduino OTA updating process is not very secure - with the key (or an MD5 which you can use as a key) hardcoded in the firmware and on the ESP32.
We needed something a bit better over here.
So not sure how useful this is to folks - but on the principle of share early and often; you can find it at:
and on
a fully functional secure/signed ArduinoOTA (also for SD cards and webintefaces) public/private key-pair based security for the firmware updates. This version leaves is ESP32 specific (the ESP8662 version is heavy for that sort of flash sizes).
It (should) work(s) for both a hobby setup (local, single key, self-signed, no governance/administrative info) and for a normal enterprise style setup, with backup keys, master keys, delegation that different for production and test/developer firmware (and all that X509, and what not net you) and so on.
We have a variant that does S/MIME - but settled for now on this -as https://tools.ietf.org/html/rfc8576, https://hal.inria.fr/hal-02351794/file/HAL-version.pdf and so on make a solid case for needing a timestamp (while keeping it simple). And with Redwax Server – Timestamp Demo/Interop it is as trivial as 'running a webserver' to integrate this into a CI / CD system.
Any and all feedback welcome !
Dw.