Remote reprogramming of in situ wireless sensor networks (WSNs) via the wireless link is an important capability. Securing the process of reprogramming allows each sensor node to authenticate each received code image. Due to the resource constraints of WSNs, public key schemes must be used sparingly. This paper introduces a mechanism for secure and efficient code distribution that employs public key cryptography only to sign the root of a combined structure consisting of both hash chains and hash trees. The chain based scheme works best when packets are received in the order they are sent with very few losses. Our hash tree based scheme allows nodes to authenticate packets and verify their integrity quickly, even when the packets may arrive out of order, but can result in too many public key operations. Integrating hash chains and hash trees produces a mechanism that is both resilient to losses and lightweight in terms of reducing memory consumption and the number of public key operations that a node has to perform. Simulation shows that the proposed secure reprogramming schemes add only a modest amount of overhead to a conventional non-secure reprogramming scheme, namely Deluge, and are therefore feasible and practical in a wireless sensor network.