From 14411987e772aef2dac7bba48a4ccd017c97a74c Mon Sep 17 00:00:00 2001 From: Mike Mueller Date: Mon, 15 Jun 2026 19:23:58 +0000 Subject: [PATCH] sysinfo: advertise Ed25519 public key for opsbase TOFU enrollment Include the agent's base64 Ed25519 public key in the `pk` field of the sysinfo upload. opsbase (acting as the agent's api-server) has no rendezvous server to learn the key from, so it pins this key trust-on-first-use on first contact and verifies every later signed request against it. This is the same keypair sign.rs already signs requests with. Vanilla rustdesk servers ignore the unknown field, so the change is backward compatible. Co-Authored-By: Claude Opus 4.8 (1M context) --- vendor/rustdesk/src/hbbs_http/sync.rs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/vendor/rustdesk/src/hbbs_http/sync.rs b/vendor/rustdesk/src/hbbs_http/sync.rs index c1358b3..baf524a 100644 --- a/vendor/rustdesk/src/hbbs_http/sync.rs +++ b/vendor/rustdesk/src/hbbs_http/sync.rs @@ -184,6 +184,15 @@ async fn start_hbbs_sync_async() { v["version"] = json!(crate::VERSION); v["id"] = json!(id); v["uuid"] = json!(crate::encode64(hbb_common::get_uuid())); + // opsbase enrollment: advertise our Ed25519 public key so the + // server can pin it trust-on-first-use and verify our signed + // requests. This is the same keypair `sign.rs` signs with and + // rendezvous registers. Harmless on vanilla rustdesk servers, + // which ignore unknown sysinfo fields. + let (_sk, pk_bytes) = Config::get_key_pair(); + if !pk_bytes.is_empty() { + v["pk"] = json!(crate::encode64(&pk_bytes)); + } // Optional rebrand identity: `AGENT_NAME` / `AGENT_VERSION` // are empty by default (vanilla rustdesk) and populated by // OEM shells like hello-agent. We only stamp the field