Methods and apparatus to provide for efficient and secure software updates

What is claimed is: 1. A data processing system with support for validation of software updates, the data processing system comprising: storage; a processor in communication with the storage; a communications port in communication with the processor, and a software manager in the storage, wherein the software manager, when executed by the processor, enables the data processing system to: save a current version of a software component in the storage; save at least first and second current advance keys (AKs) in the storage; after saving the current AKs in the storage, receive via the communications port an update package for a new version of the software component; extract a digital signature from the update package; extract at least first and second new AKs from the update package, wherein the first and second new AKs are indicative of a key pair used to sign a version of the software component subsequent to the new version of the software component; use at least one current AK to determine whether the digital signature is valid; and in response to a determination that the digital signature is valid: use a software image from the update package to update the software component; and save the new AKs, for subsequent utilization as the current AKs. 2. A data processing system according to claim 1 , wherein the software manager enables the data processing system to automatically use the second current AK to determine whether the digital signature is valid, in response to validation failure with the first current AK. 3. A data processing system according to claim 1 , wherein: the first current AK comprises a hash of a public key; the software manager further enables the data processing system to extract a plaintext version of the public key from the update package; and the operation of using at least one current AK to determine whether the digital signature is valid comprises: generating a new key hash by hashing the plaintext version of the public key; determining whether the new key hash matches the first current AK; and in response to a determination that the new key hash matches the first current AK, using the plaintext version of the public key to determine whether the digital signature was generated using a private key that corresponds to the public key. 4. A data processing system according to claim 1 , further with support for fast path updates, wherein: the first current AK comprises an advance minor update key; the second current AK comprises an advance major update key; and the software manager further enables the data processing system to: automatically apply a minor software update if the digital signature is found valid with the minor update key; and automatically apply a major software update if the digital signature is found valid with the major update key. 5. A data processing system according to claim 4 , further with support for delegation among software providers, wherein: the current version of the software component in the data processing system comprises a current image from a current software provider; the new version of the software component in the update package comprises a new image from a new software provider; at least one of the current AKs comprises an AK from the current software provider; at least one of the new AKs comprises an AK from the new software provider; and the operation of saving the new AKs, for subsequent utilization as the current AKs, comprises saving the AK from the new software provider, for subsequent utilization as the current AK. 6. A data processing system according to claim 1 , further with support for image recovery after an update, wherein: the software image from the update package comprises a version N image; the current AK that was successfully used to validate the digital signature for the update package with the version N image comprises an AK N ; the new AKs comprise at least one AK N+1 ; and the software manager further enables the data processing system to: in addition to saving the AK N+1 in the data processing system as one of the current AKs, save AK N in the data processing system as a recovery key; after using the software image from the update package to update the software component, use AK N to re-validate the update package; and after using AK N to re-validate the update package, re-apply the software image from the update package to the software component. 7. An apparatus with support for validation of software updates, the apparatus comprising: at least one non-transitory machine-accessible storage medium; and a software manager in the machine-accessible storage medium which, when executed by a processor of a data processing system, enables the data processing system to: save a current version of a software component in the machine-accessible storage medium; save at least first and second current advance keys (AKs) in the machine-accessible storage medium; after saving the current AKs in the machine-accessible storage medium, receive an update package for a new version of the software component; extract a digital signature from the update package; extract at least first and second new AKs from the update package, wherein the first and second new AKs are indicative of a key pair used to sign a version of the software component subsequent to the new version of the software component; use at least one current AK to determine whether the digital signature is valid; in response to a determination that the digital signature is valid: use a software image from the update package to update the software component; and save the new AKs, for subsequent utilization as the current AKs. 8. An apparatus according to claim 7 , wherein the software manager enables the data processing system to automatically use the second current AK to determine whether the digital signature is valid, in response to validation failure with the first current AK. 9. An apparatus according to claim 7 , wherein: the first current AK comprises a hash of a public key; the software manager further enables the data processing system to extract a plaintext version of the public key from the update package; and the operation of using at least one current AK to determine whether the digital signature is valid comprises: generating a new key hash by hashing the plaintext version of the public key; determining whether the new key hash matches the first current AK; and in response to a determination that the new key hash matches the first current AK, using the plaintext version of the public key to determine whether the digital signature was generated using a private key that corresponds to the public key. 10. An apparatus according to claim 7 , further with support for fast path updates, wherein: the first current AK comprises an advance minor update key; the second current AK comprises an advance major update key; and the software manager further enables the data processing system to: automatically apply a minor software update if the digital signature is found valid with the minor update key; and automatically apply a major software update if the digital signature is found valid with the major update key. 11. An apparatus according to claim 10 , further with support for delegation among software providers, wherein: the current version of the software component in the data processing system comprises a current image from a current software provider; the new version of the software component in the update package comprises a new image from a new software provider; at least one of the current AKs comprises an AK from the current software provider; at least one of the