diff --git a/vendor/rustdesk/src/hbbs_http/sync.rs b/vendor/rustdesk/src/hbbs_http/sync.rs
index c1358b3..baf524a 100644
--- a/vendor/rustdesk/src/hbbs_http/sync.rs
+++ b/vendor/rustdesk/src/hbbs_http/sync.rs
@@ -184,6 +184,15 @@ async fn start_hbbs_sync_async() {
                     v["version"] = json!(crate::VERSION);
                     v["id"] = json!(id);
                     v["uuid"] = json!(crate::encode64(hbb_common::get_uuid()));
+                    // opsbase enrollment: advertise our Ed25519 public key so the
+                    // server can pin it trust-on-first-use and verify our signed
+                    // requests. This is the same keypair `sign.rs` signs with and
+                    // rendezvous registers. Harmless on vanilla rustdesk servers,
+                    // which ignore unknown sysinfo fields.
+                    let (_sk, pk_bytes) = Config::get_key_pair();
+                    if !pk_bytes.is_empty() {
+                        v["pk"] = json!(crate::encode64(&pk_bytes));
+                    }
                     // Optional rebrand identity: `AGENT_NAME` / `AGENT_VERSION`
                     // are empty by default (vanilla rustdesk) and populated by
                     // OEM shells like hello-agent. We only stamp the field