even with that "requirement" add special minimal recovery that can be booted with special buttons sequence by bootloader and allows some form of flashing signed firmware.
this should be especially trivial when your device have some usb ports.
you can keep all requirements of only newer or the same version of firmware to flash, with all refuse checks.
if you mess up, you can allow consumers to flash fix using regular pendrive
this should be especially trivial when your device have some usb ports.
you can keep all requirements of only newer or the same version of firmware to flash, with all refuse checks.
if you mess up, you can allow consumers to flash fix using regular pendrive