feat(ota): Add support for signed binaries

[lucasssvaz]

Description of Change

This pull request introduces secure OTA (Over-The-Air) firmware update capabilities with cryptographic signature verification to the ArduinoOTA library and its examples. The main focus is on enabling devices to only accept firmware that has been signed with an authorized private key, significantly improving security against unauthorized or tampered updates. The changes include new example code, documentation, build workflow updates, and modifications to the ArduinoOTA core to support signature verification.

Key changes:

Secure OTA Signature Verification Support

• Added support for cryptographic signature verification in the ArduinoOTA library, allowing users to specify a signature verifier (RSA or ECDSA) via the new setSignature() method. This ensures only signed firmware is accepted during OTA updates. [1] [2] [3] [4] [5] [6]

New Example: SignedOTA

• Introduced a new SignedOTA example, including:
  • SignedOTA.ino: Demonstrates secure OTA with signature verification, configurable for different algorithms and optional password protection.
  • public_key.h: Contains a test RSA public key for demonstration purposes; users are instructed to generate and use their own keys.
  • README.md: Comprehensive instructions for setup, key generation, signing firmware, and troubleshooting.
  • ci.yml: Ensures the example is only built when WiFi support is present.

Build and Workflow Enhancements

• Updated the build workflow (build_py_tools.yml) to include the new tools/bin_signing.py tool, which is required for signing firmware images as part of the secure OTA process. [1] [2]

---

These changes collectively add a robust security layer to OTA updates, protecting devices from unauthorized or malicious firmware installations.

Test Scenarios

Tested locally

Related links

Closes #8141

[github-actions]

	Messages
📖	This PR seems to be quite large (total lines of code: 2293), you might consider splitting it into smaller PRs

👋 Hello lucasssvaz, we appreciate your contribution to this project!

---

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.

---

🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.

---

Click to see more instructions ...

This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- Addressing info messages (📖) is strongly recommended; they're less critical but valuable.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests.

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
4. If the change is approved and passes the tests it is merged into the default branch.

Generated by 🚫 dangerJS against 31f717f

[github-actions]

Test Results

 76 files   76 suites   14m 53s ⏱️
 38 tests  38 ✅ 0 💤 0 ❌
241 runs  241 ✅ 0 💤 0 ❌

Results for commit 31f717f.

♻️ This comment has been updated with latest results.

[github-actions]

Memory usage test (comparing PR against master branch)

The table below shows the summary of memory usage change (decrease - increase) in bytes and percentage for each target.

Memory	FLASH [bytes]		FLASH [%]		RAM [bytes]		RAM [%]
Target	DEC	INC	DEC	INC	DEC	INC	DEC	INC
ESP32C5	0	‼️ +6K	0.00	‼️ +1.48	0	⚠️ +32	0.00	⚠️ +0.09
ESP32P4	0	‼️ +6K	0.00	‼️ +1.44	0	⚠️ +32	0.00	⚠️ +0.10
ESP32S3	0	‼️ +5K	0.00	‼️ +1.37	0	⚠️ +24	0.00	⚠️ +0.07
ESP32S2	0	‼️ +5K	0.00	‼️ +1.56	0	⚠️ +24	0.00	⚠️ +0.10
ESP32C3	0	‼️ +6K	0.00	‼️ +1.54	0	⚠️ +32	0.00	⚠️ +0.12
ESP32C6	0	‼️ +5K	0.00	‼️ +1.70	0	⚠️ +32	0.00	⚠️ +0.22
ESP32H2	0	‼️ +5K	0.00	‼️ +1.53	0	⚠️ +16	0.00	⚠️ +0.11
ESP32	0	‼️ +5K	0.00	‼️ +1.46	0	⚠️ +24	0.00	⚠️ +0.11

Click to expand the detailed deltas report [usage change in BYTES]

Target	ESP32C5		ESP32P4		ESP32S3		ESP32S2		ESP32C3		ESP32C6		ESP32H2		ESP32
Example	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM
libraries/ArduinoOTA/examples/BasicOTA	⚠️ +830	⚠️ +16	⚠️ +830	⚠️ +32	⚠️ +1000	⚠️ +24	⚠️ +1008	⚠️ +24	⚠️ +826	⚠️ +16	⚠️ +830	⚠️ +16	-	-	⚠️ +1008	⚠️ +24
libraries/ArduinoOTA/examples/SignedOTA	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-
libraries/HTTPUpdate/examples/httpUpdate	‼️ +6K	⚠️ +16	‼️ +6K	⚠️ +32	‼️ +5K	⚠️ +24	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	-	-	‼️ +5K	⚠️ +24
libraries/HTTPUpdate/examples/httpUpdateSPIFFS	‼️ +6K	⚠️ +16	‼️ +6K	⚠️ +32	‼️ +5K	⚠️ +24	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	-	-	‼️ +5K	⚠️ +24
libraries/HTTPUpdate/examples/httpUpdateSecure	‼️ +6K	⚠️ +16	‼️ +6K	⚠️ +32	‼️ +5K	⚠️ +24	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	-	-	‼️ +5K	⚠️ +24
libraries/HTTPUpdateServer/examples/WebUpdater	‼️ +6K	⚠️ +32	‼️ +6K	⚠️ +16	‼️ +4K	⚠️ +16	‼️ +4K	⚠️ +16	‼️ +5K	⚠️ +32	‼️ +5K	⚠️ +16	-	-	‼️ +4K	⚠️ +24
libraries/Update/examples/AWS_S3_OTA_Update	‼️ +6K	⚠️ +32	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +32	‼️ +5K	⚠️ +16	-	-	‼️ +5K	⚠️ +24
libraries/Update/examples/HTTP_Client_AES_OTA_Update	‼️ +6K	⚠️ +16	‼️ +6K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	-	-	‼️ +5K	⚠️ +16
libraries/Update/examples/HTTP_Server_AES_OTA_Update	‼️ +6K	⚠️ +32	‼️ +6K	⚠️ +16	‼️ +4K	⚠️ +16	‼️ +4K	⚠️ +16	‼️ +5K	⚠️ +32	‼️ +5K	⚠️ +16	-	-	‼️ +4K	⚠️ +24
libraries/Update/examples/OTAWebUpdater	‼️ +6K	⚠️ +16	‼️ +6K	⚠️ +32	‼️ +4K	⚠️ +24	‼️ +4K	⚠️ +24	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	-	-	‼️ +4K	⚠️ +16
libraries/Update/examples/SD_Update	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +6K	⚠️ +16	‼️ +5K	⚠️ +32	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +24
libraries/Update/examples/Signed_OTA_Update	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-
libraries/WebServer/examples/HttpAdvancedAuth	⚠️ +830	⚠️ +32	⚠️ +830	⚠️ +16	⚠️ +988	⚠️ +24	⚠️ +1004	⚠️ +24	⚠️ +826	⚠️ +32	⚠️ +830	⚠️ +16	-	-	⚠️ +984	⚠️ +24
libraries/WebServer/examples/HttpAuthCallback	⚠️ +830	⚠️ +32	⚠️ +830	⚠️ +16	⚠️ +988	⚠️ +24	⚠️ +1024	⚠️ +24	⚠️ +826	⚠️ +32	⚠️ +830	⚠️ +16	-	-	⚠️ +1028	⚠️ +24
libraries/WebServer/examples/HttpAuthCallbackInline	⚠️ +830	⚠️ +32	⚠️ +830	⚠️ +16	⚠️ +988	⚠️ +24	⚠️ +1012	⚠️ +24	⚠️ +826	⚠️ +32	⚠️ +830	⚠️ +16	-	-	⚠️ +1000	⚠️ +24
libraries/WebServer/examples/HttpBasicAuth	⚠️ +830	⚠️ +32	⚠️ +830	⚠️ +16	⚠️ +972	⚠️ +24	⚠️ +1016	⚠️ +24	⚠️ +826	⚠️ +32	⚠️ +830	⚠️ +16	-	-	⚠️ +1008	⚠️ +24
libraries/WebServer/examples/HttpBasicAuthSHA1	⚠️ +826	⚠️ +32	⚠️ +826	⚠️ +16	⚠️ +984	⚠️ +24	⚠️ +1060	⚠️ +24	⚠️ +826	⚠️ +32	⚠️ +826	⚠️ +16	-	-	⚠️ +1024	⚠️ +24
libraries/WebServer/examples/HttpBasicAuthSHA1orBearerToken	⚠️ +826	⚠️ +32	⚠️ +826	⚠️ +16	⚠️ +1000	⚠️ +24	⚠️ +1040	⚠️ +24	⚠️ +826	⚠️ +32	⚠️ +826	⚠️ +32	-	-	⚠️ +1016	⚠️ +24
libraries/WebServer/examples/WebUpdate	‼️ +6K	⚠️ +16	‼️ +6K	⚠️ +16	‼️ +4K	⚠️ +16	‼️ +4K	⚠️ +16	‼️ +5K	⚠️ +16	‼️ +5K	⚠️ +32	-	-	‼️ +4K	⚠️ +24