From 5e7911e5999e2942204dc9c6e9db6e4ad175c318 Mon Sep 17 00:00:00 2001
From: Brian Hanson <brian@hanson.xyz>
Date: Wed, 15 Apr 2026 02:59:34 +0000
Subject: [PATCH] move SSH key decryption from provision.sh to on_start.sh

Keys now install to /root/.ssh/ (for root git operations) instead of
/data/ssh/.ssh/. Runs every boot via on_start.sh so keys are available
even without a full provision cycle.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 system/clearpilot/on_start.sh  | 17 +++++++++++++++++
 system/clearpilot/provision.sh | 19 -------------------
 2 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/system/clearpilot/on_start.sh b/system/clearpilot/on_start.sh
index 98d1579..9a5c527 100755
--- a/system/clearpilot/on_start.sh
+++ b/system/clearpilot/on_start.sh
@@ -9,6 +9,23 @@ echo -n 1 > /data/params/d/SshEnabled
 sudo systemctl enable ssh 2>/dev/null
 sudo systemctl start ssh
 
+# Decrypt and install SSH identity keys for root (git auth)
+serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
+ssh_dir="/root/.ssh"
+if [[ $serial == 3889765b ]] && [[ ! -f "$ssh_dir/id_ed25519" || ! -f "$ssh_dir/id_ed25519.pub" ]]; then
+    echo "Decrypting SSH identity keys for root (serial=$serial)..."
+    tmpdir=$(mktemp -d)
+    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt "$tmpdir/id_ed25519"
+    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt "$tmpdir/id_ed25519.pub"
+    sudo mkdir -p "$ssh_dir"
+    sudo cp "$tmpdir/id_ed25519" "$tmpdir/id_ed25519.pub" "$ssh_dir/"
+    rm -rf "$tmpdir"
+    sudo chmod 700 "$ssh_dir"
+    sudo chmod 600 "$ssh_dir/id_ed25519"
+    sudo chmod 644 "$ssh_dir/id_ed25519.pub"
+    echo "SSH identity keys installed to $ssh_dir"
+fi
+
 # Always ensure WiFi radio is on
 nmcli radio wifi on 2>/dev/null
 
diff --git a/system/clearpilot/provision.sh b/system/clearpilot/provision.sh
index f6dbce4..a814918 100644
--- a/system/clearpilot/provision.sh
+++ b/system/clearpilot/provision.sh
@@ -45,25 +45,6 @@ exec /root/.local/bin/claude "$@"
 WRAPPER
 chmod +x /usr/local/bin/claude
 echo "Packages installed"
-
-# Decrypt and install SSH identity keys (for git auth)
-# Uses hardware serial from /proc/cmdline as device identity and decryption key
-serial=$(sed 's/.*androidboot.serialno=\([^ ]*\).*/\1/' /proc/cmdline)
-ssh_dir="/data/ssh/.ssh"
-if [[ $serial == 3889765b ]] && [[ ! -f "$ssh_dir/id_ed25519" || ! -f "$ssh_dir/id_ed25519.pub" ]]; then
-    echo "Decrypting SSH identity keys (serial=$serial)..."
-    tmpdir=$(mktemp -d)
-    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.cpt "$tmpdir/id_ed25519"
-    bash /data/openpilot/system/clearpilot/tools/decrypt /data/openpilot/system/clearpilot/dev/id_ed25519.pub.cpt "$tmpdir/id_ed25519.pub"
-    mkdir -p "$ssh_dir"
-    cp "$tmpdir/id_ed25519" "$tmpdir/id_ed25519.pub" "$ssh_dir/"
-    rm -rf "$tmpdir"
-    chmod 700 "$ssh_dir"
-    chmod 600 "$ssh_dir/id_ed25519"
-    chmod 644 "$ssh_dir/id_ed25519.pub"
-    echo "SSH identity keys installed to $ssh_dir"
-fi
-
 # 4. Ensure git remote uses SSH (not HTTPS)
 cd /data/openpilot
 EXPECTED_REMOTE="git@git.hanson.xyz:brianhansonxyz/clearpilot.git"