Technologies for secure software update include an update server and one or more client computing devices. The update server generates a software release including release components, such as packages and/or bundles, and a version number. The update server generates an integrity hash tree over the software release and a Lamport one-time signature key pair for each node of the integrity hash tree. The update server generates a Merkle signature scheme authentication tree based on the key pairs and signs each node of the integrity hash tree. The update server signs the root of the authentication tree with an anchor private key. A client computing device downloads one or more release components and verifies the release components with the integrity hash tree, the signatures, and the authentication tree. The client computing device verifies the root of the authentication tree with an anchor public key. Other embodiments are described and claimed.