Testkeys present in release version of 7.0.0

Why does the release version of TurrisOS 7.0.0 medkit, downloaded from https://repo.turris.cz/archive/7.0.0/medkit/mox-medkit-202404020445.tar.gz contain testkeys in addition to the release and standby keys?

$ tar -tvf mox-medkit-202404020445.tar.gz | grep /etc/updater/keys/
drwxr-xr-x root/root         0 2024-04-02 02:46 ./etc/updater/keys/
-rw-r--r-- root/root       566 2022-07-25 10:40 ./etc/updater/keys/test.pub.sig
-rw-r--r-- root/root       566 2022-07-25 10:40 ./etc/updater/keys/release.pub.sig
-rw-r--r-- root/root       101 2022-07-25 10:40 ./etc/updater/keys/release.pub
-rw-r--r-- root/root        96 2022-07-25 10:40 ./etc/updater/keys/test.pub
-rw-r--r-- root/root       101 2022-07-25 10:40 ./etc/updater/keys/standby.pub
-rw-r--r-- root/root       566 2022-07-25 10:40 ./etc/updater/keys/standby.pub.sig

It sounds like a possible vulnerability if the keys are not removed afterwards by the user.

I guess because test branches could be signed by that and you would need it when changing branches. Just a lucky guess

Good guess.

If you download the hbd (test branch) files:

https://repo.turris.cz/hbd/mox/packages/turrispackages/Packages
https://repo.turris.cz/hbd/mox/packages/turrispackages/Packages.sig

Then you can see that it is signed by the key corresponding to test.pub:

$ signify-openbsd -V -p test.pub -x Packages.sig -m Packages
Signature Verified

I am unsure why it would be present in a stable release of medkit 7.0.0, when it wasn’t present in any of the previous ones, and the addition of test keys was not announced anywhere nor documented anywhere.

1 Like