The software/firmware would have its own signing keys. Counties would not have access to it. Counties could only load their specific voting profiles, which would be published similar to certificate transparency logs. The voting machines could display a signature of the ballot data in structured format for public auditing, that way each voter could check the signature (QR code, short generated phrase, etc) against a public record (newspaper, website, fliers printed in advance, etc).
