Skip to content

[S2] Unsigned v1 licenses still accepted → complete Ed25519 bypass #261

Description

@DsThakurRawat

Labels: security, bug, pro, priority:high
File: src/tether/pro/license.py:212 (version not in (LICENSE_VERSION, LICENSE_VERSION_LEGACY_UNSIGNED)), :222 (signature verified only when == LICENSE_VERSION)

Description. load_license accepts both v2 (signed) and v1 (legacy unsigned). For v1 it skips signature verification entirely and only logs a warning.

Why it matters. An attacker writes ~/.tether/pro.license with license_version=1, tier="enterprise", expires_at far in the future, signature="", and a hardware_binding matching their own host (obtainable via probe_hardware_binding). No private key required — the entire v2 Ed25519 chain is bypassed by selecting the legacy version. Classic signature-downgrade; unlocks all Pro entitlements for free.

Tasks.

  • Reject v1 licenses in released builds; gate acceptance behind an explicit TETHER_DEV=1 env flag.
  • Require a valid signature for every accepted version.
  • Add a test asserting a v1 license is refused unless the dev flag is set.

Dedup. No issue/PR covers the v1 acceptance path. PR #229 preserves signed fields on heartbeat rewrite — different concern.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions