tka: reject removal of the last signing key

Fixes tailscale/corp#19447 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2025-08-15 23:47:39 +00:00 · 2025-06-13 14:45:28 +01:00
parent 59fab8bda7
commit 42da161b19
3 changed files with 25 additions and 0 deletions
--- a/tka/tka.go
+++ b/tka/tka.go
@@ -440,6 +440,13 @@ func aumVerify(aum AUM, state State, isGenesisAUM bool) error {
 			return fmt.Errorf("signature %d: %v", i, err)
 		}
 	}
+
+	if aum.MessageKind == AUMRemoveKey && len(state.Keys) == 1 {
+		if kid, err := state.Keys[0].ID(); err == nil && bytes.Equal(aum.KeyID, kid) {
+			return errors.New("cannot remove the last key in the state")
+		}
+	}
+
 	return nil
 }