Smart cities are a concept of interest to many industrial, academic and government organisations. However, smart cities present a large attack surface to adversaries if every traffic light, power relay and water pipe are connected to the internet. This paper describes the problem of distributing software in a smart city when strong protection of device software, software installation and update provision are required. A set of requirements for a secure software provisioning system is presented and two models for the software distribution are proposed. Three protocols for distributing software are presented that meet the requirements stated. A formal analysis using Tamarin Prover is described that proves the security of the proposed protocols. Finally, an implementation has been developed using a laptop and Raspberry Pi 3 to demonstrate the proposed protocols in action and the performance of them.