diff --git a/meta-ohos-core/recipes-core/rauc/files/ostc-insecure-cert.pem b/meta-ohos-core/recipes-core/rauc/files/ostc-insecure-cert.pem
new file mode 120000
index 0000000000000000000000000000000000000000..b43558dc9e6e3448ddca1d2cb61221013be854e7
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/files/ostc-insecure-cert.pem
@@ -0,0 +1 @@
+../insecure-keys/cert.pem
\ No newline at end of file
diff --git a/meta-ohos-core/recipes-core/rauc/files/raspberrypi4/system.conf b/meta-ohos-core/recipes-core/rauc/files/raspberrypi4/system.conf
index 87a52272f22f3567ba94fafee1fa6648e1f8420d..db2de8ff627f2530779415ffbd025169059fee60 100644
--- a/meta-ohos-core/recipes-core/rauc/files/raspberrypi4/system.conf
+++ b/meta-ohos-core/recipes-core/rauc/files/raspberrypi4/system.conf
@@ -24,8 +24,7 @@ device=/dev/mmcblk0p3
 bootname=B
 
 [keyring]
-# FIXME(zyga): This keyring should be defined somewhere.
-path=/etc/rauc/cert.pem
+path=/etc/rauc/ostc-insecure-cert.pem
 
 [handlers]
 # Use SystemOTA for RAUC pre-install and post-install handlers. This is
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem b/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..dd93658c6e20c7dd1736a3a2fbdfbedbc13968ad
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFqzCCA5OgAwIBAgIUFu9TLmQwFHVklqu2i1r4G8ffaX4wDQYJKoZIhvcNAQEL
+BQAwZTEUMBIGA1UEAwwLb3N0Yy1ldS5vcmcxLzAtBgNVBAoMJk9wZW4gU291cmNl
+IFRlY2hub2xvZ3kgQ2VudGVyIChFdXJvcGUpMQswCQYDVQQGEwJQTDEPMA0GA1UE
+BwwGV2Fyc2F3MB4XDTIxMTAwMTA4NTM0MFoXDTIyMTAwMTA4NTM0MFowZTEUMBIG
+A1UEAwwLb3N0Yy1ldS5vcmcxLzAtBgNVBAoMJk9wZW4gU291cmNlIFRlY2hub2xv
+Z3kgQ2VudGVyIChFdXJvcGUpMQswCQYDVQQGEwJQTDEPMA0GA1UEBwwGV2Fyc2F3
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs3cKxU+a4a/l9WNqd56D
+D/jfYqIn6f5cjByVlgETWzlnCXlvinxi37kKSSrlefsddijo5dLU6VgMFQOgBdoU
+Sjnq3ADf/nQn8gxzAMnRYjdPg7+sRIXqXoNfyUPeTEskilbTV45AShC7pNiRVLpI
+H3QsfpSqnjklRTgfy8QZ+QLZomZFkebkVvSpyBzR7Tp0ThprT1sz8tjJUMNF7bHs
+uhaA58UUJGvJ5r+hpZ8tMlrgsjC9AI+fx7H/urpC4u9eL1FJ6p0aSzOCMuF6G7vF
+tt5k3cruklB5Crav3ec3o0zsuNUGhNL5mi3mSAgPDYt/8evpcgVf8lr+CTkJNxmq
+TOSUlP8UTWDtNFr3nfmUTTxU8f0WE3MAtmxQpmL6x46I+3bWLSwYJeqKlkODayje
+6jALOJAY0MzyABpx+/kpKtSZgz2NLLJIdWgTz15/6EiOJqipwRMVduFJfzfdEe34
+X+xtbMjRK/CFEB6OMWwnmTmIYuPpS8tMpudNp2IL0E4LPjYHzaimX4ZG+QVX6zv/
+3Rf0UijDAcUQ8xRx/LB2k4V++0JapLmMXhb/xPWX536XBaR8f4Eej4/B825yr8j+
+tey1EbhWtjenUk1k0fnRKqfBr7E7WYV32qDyp+Sm1nEHT6CRPuuAd2i7e8V25VGh
+uzUHww1ykB7XXz2w8Ysa5c0CAwEAAaNTMFEwHQYDVR0OBBYEFFL5nYXej6FBMQNI
+DV0QKwkn67OvMB8GA1UdIwQYMBaAFFL5nYXej6FBMQNIDV0QKwkn67OvMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKCDTCQKmrAAki41uBHL9Sb4
+Hcacqv8AYVETNDKwp2MA63bOgGG2dPVLLGrpg6gCR5t8YFvqHa7jHpvzv8AlJfJt
+hyfAANhvvBTkWvEQUFSDqybA8FZR/hvVuVqnlFbQuXcUTBw+/Br4Atx45h6oPwCT
+d9A0hTZJxL12XKiV8vPEbiPZ+RE+3pCyNBqpVczshA9kYz6+Od3diRbpJ1NL8a2g
+asf44DlyIq4wgHIqIdJ7CpxRD0MZxZEsLe+MMt0+gCZQ6saddMg6VcpU188nGHgL
+HmuxCzZzRrpbTzQupM0rHac/gmwgLjDAxtr0QRHr1acm8Mnol22SrwER8GBuSrKm
+vqk4nvkbzhOdNrjBXv0sYZS2sA4tIfUzLwywqTKbt4OL/UdV3GutsarIIG/62qCf
+9Qr+PfI7kKRCFO5Gz7I0Xbtqpcb6kaVa/rUnprAeDHufl/jj5FJOPD7EVFxBf8Hg
+BmdlbUTv9ef9v+cLEBxoIJemu4f+yZR3GgLMlfWfEc3PqpqvfeVo4I/EGyOa+aO7
+E0obhYtS054nJuBLXaz9JHz1wrgHh6mTGd0Sa+DBXVHb1swM7I+QRrnFUooIAo5S
+lrPO7UDKEw1KOJNdSwF4RUVMUXI8FlYojczKnMBvGLk/kTwA4+tSK2v7ftFlhQl+
+7ZY6l0GCGuFxAZgqoMA5
+-----END CERTIFICATE-----
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem.license b/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem.license
new file mode 100644
index 0000000000000000000000000000000000000000..98a0b3f4a5b8db268215a128c7d06e0a10897e73
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/cert.pem.license
@@ -0,0 +1,3 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/gen-keys.sh b/meta-ohos-core/recipes-core/rauc/insecure-keys/gen-keys.sh
new file mode 100755
index 0000000000000000000000000000000000000000..cd89f7688f97ef3233f8a798214358b91900d618
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/gen-keys.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# The insecure pair of keys that are present in this layer were generated with
+# the following command. The keys will expire after a year. This is
+# intentional.
+openssl req -x509 -newkey rsa:4096 \
+    -keyout key.pem \
+    -out cert.pem \
+    -days 365 \
+    -nodes \
+    -subj "/CN=ostc-eu.org/O=Open Source Technology Center (Europe)/C=PL/L=Warsaw" </dev/null
+
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem b/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..8279c10cc5edfca74ec6ef46f787a6df60b0738a
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCzdwrFT5rhr+X1
+Y2p3noMP+N9ioifp/lyMHJWWARNbOWcJeW+KfGLfuQpJKuV5+x12KOjl0tTpWAwV
+A6AF2hRKOercAN/+dCfyDHMAydFiN0+Dv6xEhepeg1/JQ95MSySKVtNXjkBKELuk
+2JFUukgfdCx+lKqeOSVFOB/LxBn5AtmiZkWR5uRW9KnIHNHtOnROGmtPWzPy2MlQ
+w0Xtsey6FoDnxRQka8nmv6Glny0yWuCyML0Aj5/Hsf+6ukLi714vUUnqnRpLM4Iy
+4Xobu8W23mTdyu6SUHkKtq/d5zejTOy41QaE0vmaLeZICA8Ni3/x6+lyBV/yWv4J
+OQk3GapM5JSU/xRNYO00Wved+ZRNPFTx/RYTcwC2bFCmYvrHjoj7dtYtLBgl6oqW
+Q4NrKN7qMAs4kBjQzPIAGnH7+Skq1JmDPY0sskh1aBPPXn/oSI4mqKnBExV24Ul/
+N90R7fhf7G1syNEr8IUQHo4xbCeZOYhi4+lLy0ym502nYgvQTgs+NgfNqKZfhkb5
+BVfrO//dF/RSKMMBxRDzFHH8sHaThX77QlqkuYxeFv/E9ZfnfpcFpHx/gR6Pj8Hz
+bnKvyP617LURuFa2N6dSTWTR+dEqp8GvsTtZhXfaoPKn5KbWcQdPoJE+64B3aLt7
+xXblUaG7NQfDDXKQHtdfPbDxixrlzQIDAQABAoICAEfsaIOlIKRcU2Ph4PRpsYsA
+Kb6k0CxGBZ8dgZGpgrFnsvSoF1y/9vxEc2vZZjhZvHfzc0tQEIYoBEeTuVk/Ciyp
+Q4fCTgLzWGL4PErPlzuugQ6DDa40oTYZnpTRv1CCOPW8UFzhpMBKLnmlVbFIKsl4
+TLC6MhrROi+gi5WlVOdoDgK4zB7qEw8KZNTPQA68A4qdqe4W1h34Zc4ZRHg7e20k
+waqhYC4siLESkd0HixyIMU8Ym1aTOOzWWG/kYBQE7JE4GdCN/9CtpvtvQ/nDajyc
+qn3861n2KFxz1M2w8apflOuKbF9lEiWJSaYKnMXH55H0Aw3wO4CsmOznT9smTQpy
+LIA3D4+ot2ck9CYsb+3tBbJWIkwogsDx3S+nooTmnJRGPmI9Qga9D9uq2EqGarbT
+BS2XIOMK6BYyl5z4cFose9gjCGqB79aGiOJE2rRCePJRZXwhapwp8hnOL+3wr1X8
+PqM1ITenar53GsNGfyqurEbTHaSIDh9ypNAFzNjZYTrzJ2mVH1ptY/lFH62lYDPz
+bSUZ4S02BqHBLlOrvrRDU7AaA0GwTp+2wbBOk4DV4GyZfeqbl++v5xNBMZmL7gY0
+6WNZDOV67/LbW6Uh+NHC9QeFXDp+VZzVvotF5q9a7ix3p/SwH+4OfFodrhevIsge
+rnA6O+fj7q8tk+lNzWidAoIBAQDYsziaEYPyBwHTjjlhbPdoSNVQ953Yc7icJ9xJ
+ya6rVmmTYMLE1/YL8Izl42iiJz8vNcRqn0H8SBTQleWXO5a6CJaPVIbol5GQpevp
+VBPYUbmeEp1TfeC0tRbpc7sYe+tSFc7BXbER6yRh8exnY2Y+oRkcr/LVjaALbk3s
+tPdi+9OXvQoPCHOkcf9kcVhe6rPgZlHjmSqd+QJQev/P25KVQBHJFtPpLmgqA484
+iCNqH0znUYedyDmGslE10uy3iTG4EbyXjIetaIXvM5vodhvCjIk/JsuvuQ50OclG
+4TAMzftGMkaJis4xKy9O5RzdQKreUH4dQu0xuGQQvs15yFHXAoIBAQDUAxnACd2i
+uO8+RM1ba5axnZHmHbc9mKTqiuzO/NRgOZa0hXbECaxQ4xJz4J4tCOLEcUodelED
+OB1Dd7gSZpHJHx/cvMelFB4nLvSL4azL4h+v9OsXVeCxXiE/zbhpu4LE5AkDKwi1
+bUWYFj9LcisRNt22JJ6VmObwumSN0xLo1lECfFlB0/ZN0pwlWcEGI0BwAd2yr4bd
+wpH/wryRNE0rAAB9JAFHgk5pzwXoiMJDal+k5yskPGglg6r9nkhyugaC6Ks3p0X2
+ljCy2R/eSGpGHMnJ5EoM1U+gX8YZRjo3I8kBJ39vBikcU7xirxaQNiVoJcKRbSC6
+3GFPUm5IXZj7AoIBAQCIM92XuPqd3Rmgxvv56Gt4+I5bXcewjMu0GrmzBzjqKF4j
+a+X/o13bE078D3tssA5etgTGn2LyFrw+fnjYHXQXad54KEDDYMD1kdQ9y8LNbFCm
+sjyAhdX+vvOvuDYYpYq7BUn279Sj1o//n/de5HMXWlpWVaDj6Sh3BtWjufrkFDRi
+Y0c3O7Cz45MKptNMlWiJ2sYNr+/BawmxXB39n5z6glKredWn8qs1/RbACZF42kOU
+AQKkgXzm1J2GnxR6J5lAgKVw+7srm07TkjSkX9gC6CI7tz6/LCmRk+CW1GNHKRCO
+hnsfaEdBUEtj403JIyRCp4UdDzvWzHbYr5SmvunxAoIBAHMWm8vbjyzeJ0EuKCwQ
+Y2VXm/PG/cm6KwwHDjXumXsCyASGzsnsVlYybbnpnPPldvQca5dE5uVQeNI/EvUq
+KMl809cHw3ihSx0KKEYm455pybnCwjuQqsCd0H7KNelvmLU49It7uOaDwtukeAeE
+mkxl9EUD6/JZZkQXaq5yfjlW3fLzfaB2Z6YnRgwghN/IExq6aJavIg8PqCGmnKZW
+Ne25uoo0GV2wJtDZSOPKGWpvPCxQMOMix4ZVy2SRn9JnmVFG7GrxqtEJBraPlvUb
+alVVG1U1T91XjjoIw4jEzqVQD7VIs6yZM4flDMalNSJjwjqfBNfc3X+SUmC05pjx
+9jECggEAU3CH1S8sCBvZLAXxbi2J0tSqKUdmJLXxAHNBKHb01qXZ61NzUyDUz7nC
+sevqEq7J9vnbuR9HrMFjy95DgOttlgMGTUanOX44Y70PnPyvDAKGmR7Cl5RITkor
+XvfyxKWxYe6RFVnkvVcarCpt+1PPOfNEeWeFj3N8R+IzWOG5ZH2aqXhqJ7XdDMuo
+1YsxyRLxCSmGmZoZshkeyGvX/qQLH1dpsI8Va6t787eLaU6z4lHhtgCj52vupzax
+i/uzc1P+vjVv45LbxlD2P92bfoAHtShh3POQ9mnAkeh86lgvs87ydFz1dOTpSkpI
+Ut7m/IA0ihpotNXJv3shdR0pRGqXcw==
+-----END PRIVATE KEY-----
diff --git a/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem.license b/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem.license
new file mode 100644
index 0000000000000000000000000000000000000000..98a0b3f4a5b8db268215a128c7d06e0a10897e73
--- /dev/null
+++ b/meta-ohos-core/recipes-core/rauc/insecure-keys/key.pem.license
@@ -0,0 +1,3 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
diff --git a/meta-ohos-core/recipes-core/rauc/rauc_%.bbappend b/meta-ohos-core/recipes-core/rauc/rauc_%.bbappend
index 30e9e98e33980a8ff76d8b615214eb8c3814f5df..9cfcf46f6ce2568080c0102f32a7c14b7245899b 100644
--- a/meta-ohos-core/recipes-core/rauc/rauc_%.bbappend
+++ b/meta-ohos-core/recipes-core/rauc/rauc_%.bbappend
@@ -14,3 +14,32 @@ FILESEXTRAPATHS_prepend_raspberrypi4-64 := "${THISDIR}/files/raspberrypi4:"
 # Make the RAUC package machine-specific. This lets us put the specific configuration
 # file, which encodes the slot configuration, into it safely.
 PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+# Use the known insecure public key which is a part of this layer as the key
+# baked into our reference images.
+#
+# This key is meant to be insecure for two reasons:
+#
+# 1) There are no binary updates available for the reference images, nor there
+# are any binary updates that come out which are production-grade and can be
+# deployed directly. This is the responsibility of the integrator for a
+# specific product. Having a known-insecure key should discourage people from
+# using artifacts coming out of CI as updates for anything not related to
+# testing.
+#
+# 2) There is no need to use a sophisticated secure key storage environment in
+# order to build reference images to allow CI-made artifacts to be signed and
+# useful for testing.
+
+# Set RAUC_KEYRING_FILE which is is defined in meta-rauc. This still allows any
+# downstream overrides to define it more strongly and use a different private
+# key. This variable is also set up to append to SRC_URI, so no additional
+# declaration is needed.
+RAUC_KEYRING_FILE ?= "ostc-insecure-cert.pem"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+do_install_append() {
+    if [ -f ${D}${sysconfdir}/rauc/ostc-insecure-cert.pem ]; then
+        bbwarn "The image is using a known, insecure test key for verifying RAUC bundles. Do not use this in production systems."
+    fi
+}