In collaboration with @dangowrt the server makes use of `ucert`. Active
workers sign created firmware and clients check if the signature is
valid. Certs of *hacked* or inactive workers can be revoked. Private CA
key is **not** stored on the upgrade server.
Only for devices already supporting ucert via firmware metadata.
Signed-off-by: Paul Spooren <mail@aparcar.org>
