We needed something a bit better. So not sure how useful this is to folks - but on the principle of share early and often; you can find at
and on
a fully functional secure/signed ArduinoOTA (also for SD cards and webintefaces) public/private keypair based security for the firmware updates.
It (should) work(s) for both a hobby setup (local, single key) and for a normal enterprise style setup, with backup keys, master keys, delegation that different for production and test/developer firmware and so on.
Any and all feedback welcome !
Dw.