From 42da161b194abe7104cbc8312f913a3db296d6b5 Mon Sep 17 00:00:00 2001
From: Anton Tolchanov <anton@tailscale.com>
Date: Fri, 13 Jun 2025 14:45:28 +0100
Subject: [PATCH] tka: reject removal of the last signing key

Fixes tailscale/corp#19447

Signed-off-by: Anton Tolchanov <anton@tailscale.com>
---
 cmd/tailscale/cli/network-lock.go |  3 +++
 tka/builder_test.go               | 15 +++++++++++++++
 tka/tka.go                        |  7 +++++++
 3 files changed, 25 insertions(+)

diff --git a/cmd/tailscale/cli/network-lock.go b/cmd/tailscale/cli/network-lock.go
index c77767074..ae1e90bbf 100644
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -326,6 +326,9 @@ func runNetworkLockRemove(ctx context.Context, args []string) error {
 	if !st.Enabled {
 		return errors.New("tailnet lock is not enabled")
 	}
+	if len(st.TrustedKeys) == 1 {
+		return errors.New("cannot remove the last trusted signing key; use 'tailscale lock disable' to disable tailnet lock instead, or add another signing key before removing one")
+	}
 
 	if nlRemoveArgs.resign {
 		// Validate we are not removing trust in ourselves while resigning. This is because
diff --git a/tka/builder_test.go b/tka/builder_test.go
index 666af9ad0..3dbd4347a 100644
--- a/tka/builder_test.go
+++ b/tka/builder_test.go
@@ -5,6 +5,7 @@ package tka
 
 import (
 	"crypto/ed25519"
+	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -90,6 +91,20 @@ func TestAuthorityBuilderRemoveKey(t *testing.T) {
 	if _, err := a.state.GetKey(key2.MustID()); err != ErrNoSuchKey {
 		t.Errorf("GetKey(key2).err = %v, want %v", err, ErrNoSuchKey)
 	}
+
+	// Check that removing the remaining key errors out.
+	b = a.NewUpdater(signer25519(priv))
+	if err := b.RemoveKey(key.MustID()); err != nil {
+		t.Fatalf("RemoveKey(%v) failed: %v", key, err)
+	}
+	updates, err = b.Finalize(storage)
+	if err != nil {
+		t.Fatalf("Finalize() failed: %v", err)
+	}
+	wantErr := "cannot remove the last key"
+	if err := a.Inform(storage, updates); err == nil || !strings.Contains(err.Error(), wantErr) {
+		t.Fatalf("expected Inform() to return error %q, got: %v", wantErr, err)
+	}
 }
 
 func TestAuthorityBuilderSetKeyVote(t *testing.T) {
diff --git a/tka/tka.go b/tka/tka.go
index 04b712660..ade621bc6 100644
--- a/tka/tka.go
+++ b/tka/tka.go
@@ -440,6 +440,13 @@ func aumVerify(aum AUM, state State, isGenesisAUM bool) error {
 			return fmt.Errorf("signature %d: %v", i, err)
 		}
 	}
+
+	if aum.MessageKind == AUMRemoveKey && len(state.Keys) == 1 {
+		if kid, err := state.Keys[0].ID(); err == nil && bytes.Equal(aum.KeyID, kid) {
+			return errors.New("cannot remove the last key in the state")
+		}
+	}
+
 	return nil
 }