Sulkta-Coop/adacam
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
adacam/keys
History
Exact
Kayos 85b3ee39dd feat: signed USB recovery system 
- keys/adacam-update-public.pem: RSA-4096 public key (private on Lucy)
- services/updater/adacam-updater.sh: standalone updater (also inlined in liberate.sh)
- services/updater/99-adacam-usb.rules: udev rule for auto-trigger on USB insert
- scripts/sign-bundle.sh: create + sign recovery bundles on Lucy
- keys/README.md: updated with signing key docs and bundle creation instructions

Private key at: /boot/config/adacam/adacam-update-private.pem (Lucy, boot-persistent)
2026-03-14 15:07:32 -07:00
..
adacam-update-public.pem feat: signed USB recovery (Option A) 2026-03-14 14:49:56 -07:00
adacam_authorized_key.pub feat: SSH key management — built-in authorized keys, key storage docs 2026-03-14 12:23:11 -07:00
README.md feat: signed USB recovery system 2026-03-14 15:07:32 -07:00

README.md

keys/

All public keys. Private keys live on Lucy only, never in this repo.

SSH Access Keys — adacam_authorized_key.pub

Injected into every liberated AdaCam during liberation. Two keys:

  • cobb@adacam — primary access key, private half at /boot/config/adacam/id_ed25519_adacam on Lucy
  • kayos@openclaw — OpenClaw agent key, private half at ~/.openclaw/id_ed25519_unraid

How to SSH into a liberated AdaCam:

# On adacam AP (always works):
ssh -i /boot/config/adacam/id_ed25519_adacam root@10.77.0.1

# On home WiFi (after WiFi config via Varroa):
ssh -i /boot/config/adacam/id_ed25519_adacam root@<device-lan-ip>

Private key location on Lucy: /boot/config/adacam/id_ed25519_adacam

Update Signing Key — adacam-update-public.pem

RSA-4096 public key. Used by adacam-updater to verify signed recovery bundles before applying.

Private key location on Lucy: /boot/config/adacam/adacam-update-private.pem

To create a signed recovery bundle:

# On Lucy
bash scripts/sign-bundle.sh ./recovery-output ./my-bundle-dir
# Produces: adacam-recovery.tar.gz + adacam-recovery.tar.gz.sig
# Copy both to USB drive: USB:/adacam_recovery/

Recovery flow:

  1. Create and sign a bundle (scripts/sign-bundle.sh)
  2. Copy .tar.gz + .sig to USB drive under adacam_recovery/
  3. Insert USB into powered-on AdaCam
  4. adacam-updater fires via udev, verifies sig, runs install.sh inside bundle
  5. Device reboots automatically
  6. Check /data/adacam/recovery.log if something went wrong

What a recovery bundle can do:

  • Reinstall services (/opt/adacam/)
  • Restore config (/data/adacam/config.json)
  • Replace SSH authorized_keys (locked-out recovery)
  • Run arbitrary root commands via install.sh

What it cannot do (by design):

  • Flash bootloader — adacam-updater does not call movisoc-fwu
  • Full OS image replacement — use Mender for that (future)

Key Locations Summary

Key Type Private Public
SSH access ed25519 Lucy: /boot/config/adacam/id_ed25519_adacam keys/adacam_authorized_key.pub/root/.ssh/authorized_keys
Update signing RSA-4096 Lucy: /boot/config/adacam/adacam-update-private.pem keys/adacam-update-public.pem/etc/adacam/update-verify.pem

adacam-update-public.pem

RSA-4096 public key for verifying signed USB recovery bundles. Installed to /etc/adacam/update-verify.pem on every liberated device by liberate.sh.

Private key: /boot/config/adacam/adacam-update-private.pem on Lucy — NEVER commit this.

Creating a recovery bundle

From Lucy, inside the cloned adacam repo:

bash scripts/sign-bundle.sh [output-dir]
# Default output: /tmp/adacam-recovery-bundle/

Copy the adacam_recovery/ folder to the root of a USB drive. Insert into a liberated AdaCam — recovery runs automatically.