diff --git a/.github/workflows/ci-workflow.yml b/.github/workflows/ci-workflow.yml
index 490928d..23b1679 100644
--- a/.github/workflows/ci-workflow.yml
+++ b/.github/workflows/ci-workflow.yml
@@ -177,13 +177,13 @@ jobs:
 
       - name: Build test binaries
         run: |
-          make -j BOLOS_SDK=$NANOS_SDK CAL_TESTING_KEY=1
+          make -j BOLOS_SDK=$NANOS_SDK CAL_CI_KEY=1
           mv bin/app.elf app-nanos.elf
           make clean
-          make -j BOLOS_SDK=$NANOX_SDK CAL_TESTING_KEY=1
+          make -j BOLOS_SDK=$NANOX_SDK CAL_CI_KEY=1
           mv bin/app.elf app-nanox.elf
           make clean
-          make -j BOLOS_SDK=$NANOSP_SDK CAL_TESTING_KEY=1
+          make -j BOLOS_SDK=$NANOSP_SDK CAL_CI_KEY=1
           mv bin/app.elf app-nanosp.elf
 
       - name: Upload app binaries
@@ -270,9 +270,7 @@ jobs:
           sudo apt install -y qemu-user-static
 
       - name: Run tests
-        env:
-          CAL_SIGNATURE_TEST_KEY: ${{ secrets.CAL_SIGNATURE_TEST_KEY }}
         run: |
           cd tests/ragger
           . ./venv/bin/activate
-          pytest --path ./elfs --model ${{ matrix.model }} -s -v
+          pytest --path ./elfs --model ${{ matrix.model }} -s -v --tb=short
diff --git a/Makefile b/Makefile
index b0dfbb5..81da667 100644
--- a/Makefile
+++ b/Makefile
@@ -147,10 +147,14 @@ ifneq ($(TARGET_NAME),TARGET_NANOS)
 DEFINES	+= HAVE_EIP712_FULL_SUPPORT
 endif
 
-# CryptoAssetsList testing key
-CAL_TESTING_KEY:=0
-ifneq ($(CAL_TESTING_KEY),0)
-DEFINES += HAVE_CAL_TESTING_KEY
+# CryptoAssetsList key
+CAL_TEST_KEY:=0
+CAL_CI_KEY:=0
+ifneq ($(CAL_TEST_KEY),0)
+DEFINES += HAVE_CAL_TEST_KEY
+endif
+ifneq ($(CAL_CI_KEY),0)
+DEFINES += HAVE_CAL_CI_KEY
 endif
 
 # Enabling debug PRINTF
diff --git a/src/tokens.h b/src/tokens.h
index 7aa38f6..0a10125 100644
--- a/src/tokens.h
+++ b/src/tokens.h
@@ -43,21 +43,31 @@ extern tokenDefinition_t const TOKENS_EXTRA[NUM_TOKENS_EXTRA];
 
 #ifndef HAVE_TOKENS_LIST
 
+#if defined(HAVE_CAL_TEST_KEY) && defined(HAVE_CAL_CI_KEY)
+#error "CAL key contradiction, two alternative keys selected at once"
+#endif
+
 static const uint8_t LEDGER_SIGNATURE_PUBLIC_KEY[] = {
-#ifndef HAVE_CAL_TESTING_KEY
-    // production key 2019-01-11 03:07PM (erc20signer)
-    0x04, 0x5e, 0x6c, 0x10, 0x20, 0xc1, 0x4d, 0xc4, 0x64, 0x42, 0xfe, 0x89, 0xf9, 0x7c,
-    0x0b, 0x68, 0xcd, 0xb1, 0x59, 0x76, 0xdc, 0x24, 0xf2, 0x4c, 0x31, 0x6e, 0x7b, 0x30,
-    0xfe, 0x4e, 0x8c, 0xc7, 0x6b, 0x14, 0x89, 0x15, 0x0c, 0x21, 0x51, 0x4e, 0xbf, 0x44,
-    0x0f, 0xf5, 0xde, 0xa5, 0x39, 0x3d, 0x83, 0xde, 0x53, 0x58, 0xcd, 0x09, 0x8f, 0xce,
-    0x8f, 0xd0, 0xf8, 0x1d, 0xaa, 0x94, 0x97, 0x91, 0x83
-#else
+#if defined(HAVE_CAL_TEST_KEY)
     // test key 2019-01-11 03:07PM (erc20signer)
     0x04, 0x20, 0xda, 0x62, 0x00, 0x3c, 0x0c, 0xe0, 0x97, 0xe3, 0x36, 0x44, 0xa1, 0x0f,
     0xe4, 0xc3, 0x04, 0x54, 0x06, 0x9a, 0x44, 0x54, 0xf0, 0xfa, 0x9d, 0x4e, 0x84, 0xf4,
     0x50, 0x91, 0x42, 0x9b, 0x52, 0x20, 0xaf, 0x9e, 0x35, 0xc0, 0xb2, 0xd9, 0x28, 0x93,
     0x80, 0x13, 0x73, 0x07, 0xde, 0x4d, 0xd1, 0xd4, 0x18, 0x42, 0x8c, 0xf2, 0x1a, 0x93,
     0xb3, 0x35, 0x61, 0xbb, 0x09, 0xd8, 0x8f, 0xe5, 0x79
+#elif defined(HAVE_CAL_CI_KEY)
+    0x04, 0x4c, 0xca, 0x8f, 0xad, 0x49, 0x6a, 0xa5, 0x04, 0x0a, 0x00, 0xa7, 0xeb, 0x2f,
+    0x5c, 0xc3, 0xb8, 0x53, 0x76, 0xd8, 0x8b, 0xa1, 0x47, 0xa7, 0xd7, 0x05, 0x4a, 0x99,
+    0xc6, 0x40, 0x56, 0x18, 0x87, 0xfe, 0x17, 0xa0, 0x96, 0xe3, 0x6c, 0x3b, 0x52, 0x3b,
+    0x24, 0x4f, 0x3e, 0x2f, 0xf7, 0xf8, 0x40, 0xae, 0x26, 0xc4, 0xe7, 0x7a, 0xd3, 0xbc,
+    0x73, 0x9a, 0xf5, 0xde, 0x6f, 0x2d, 0x77, 0xa7, 0xb6
+#else
+    // production key 2019-01-11 03:07PM (erc20signer)
+    0x04, 0x5e, 0x6c, 0x10, 0x20, 0xc1, 0x4d, 0xc4, 0x64, 0x42, 0xfe, 0x89, 0xf9, 0x7c,
+    0x0b, 0x68, 0xcd, 0xb1, 0x59, 0x76, 0xdc, 0x24, 0xf2, 0x4c, 0x31, 0x6e, 0x7b, 0x30,
+    0xfe, 0x4e, 0x8c, 0xc7, 0x6b, 0x14, 0x89, 0x15, 0x0c, 0x21, 0x51, 0x4e, 0xbf, 0x44,
+    0x0f, 0xf5, 0xde, 0xa5, 0x39, 0x3d, 0x83, 0xde, 0x53, 0x58, 0xcd, 0x09, 0x8f, 0xce,
+    0x8f, 0xd0, 0xf8, 0x1d, 0xaa, 0x94, 0x97, 0x91, 0x83
 #endif
 };
 
diff --git a/tests/ragger/cal/cal.py b/tests/ragger/cal/cal.py
new file mode 100644
index 0000000..e75fcab
--- /dev/null
+++ b/tests/ragger/cal/cal.py
@@ -0,0 +1,18 @@
+import os
+import hashlib
+from ecdsa.util import sigencode_der
+from ecdsa import SigningKey
+
+_key: SigningKey = None
+
+def _init_key():
+    global _key
+    with open(os.path.dirname(__file__) + "/key.pem") as pem_file:
+        _key = SigningKey.from_pem(pem_file.read(), hashlib.sha256)
+    assert _key != None
+
+def sign(data: bytes) -> bytes:
+    global _key
+    if not _key:
+        _init_key()
+    return _key.sign_deterministic(data, sigencode=sigencode_der)
diff --git a/tests/ragger/cal/key.pem b/tests/ragger/cal/key.pem
new file mode 100644
index 0000000..338e49f
--- /dev/null
+++ b/tests/ragger/cal/key.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQACg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEIHoMkoRaNq0neb1TxRBor4WouV8PQqJf02sg4eh768LpoAcGBSuBBAAK
+oUQDQgAETMqPrUlqpQQKAKfrL1zDuFN22IuhR6fXBUqZxkBWGIf+F6CW42w7Ujsk
+Tz4v9/hAribE53rTvHOa9d5vLXentg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/ragger/eip712/InputData.py b/tests/ragger/eip712/InputData.py
index 89e877c..01e0c6e 100644
--- a/tests/ragger/eip712/InputData.py
+++ b/tests/ragger/eip712/InputData.py
@@ -1,14 +1,11 @@
 #!/usr/bin/env python3
 
-import os
 import json
 import sys
 import re
 import hashlib
-from ecdsa import SigningKey
-from ecdsa.util import sigencode_der
 from ethereum_client.client import EthereumClient, EIP712FieldType
-import base64
+from cal import cal
 
 # global variables
 app_client: EthereumClient = None
@@ -254,7 +251,7 @@ def send_filtering_message_info(display_name: str, filters_count: int):
     for char in display_name:
         to_sign.append(ord(char))
 
-    sig = sig_ctx["key"].sign_deterministic(to_sign, sigencode=sigencode_der)
+    sig = cal.sign(to_sign)
     app_client.eip712_filtering_message_info(display_name, filters_count, sig)
 
 # ledgerjs doesn't actually sign anything, and instead uses already pre-computed signatures
@@ -272,7 +269,7 @@ def send_filtering_show_field(display_name):
         to_sign.append(ord(char))
     for char in display_name:
         to_sign.append(ord(char))
-    sig = sig_ctx["key"].sign_deterministic(to_sign, sigencode=sigencode_der)
+    sig = cal.sign(to_sign)
     app_client.eip712_filtering_show_field(display_name, sig)
 
 def read_filtering_file(domain, message, filtering_file_path):
@@ -299,9 +296,6 @@ def init_signature_context(types, domain):
     global sig_ctx
 
     handle_optional_domain_values(domain)
-    env_key = os.environ["CAL_SIGNATURE_TEST_KEY"]
-    key = base64.b64decode(env_key).decode() # base 64 string -> decode bytes -> string
-    sig_ctx["key"] = SigningKey.from_pem(key, hashlib.sha256)
     caddr = domain["verifyingContract"]
     if caddr.startswith("0x"):
         caddr = caddr[2:]