From 661a66816999e1a191e4fd4753474b0da1d37ddc Mon Sep 17 00:00:00 2001
From: "James (ClawdBot)" <johan@inou.com>
Date: Wed, 28 Jan 2026 18:57:50 +0000
Subject: [PATCH] Add debug logging to verify public key derivation

---
 .../com/inou/clawdnode/security/DeviceIdentity.kt     | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/src/main/java/com/inou/clawdnode/security/DeviceIdentity.kt b/app/src/main/java/com/inou/clawdnode/security/DeviceIdentity.kt
index 13d0744..d6b93e7 100644
--- a/app/src/main/java/com/inou/clawdnode/security/DeviceIdentity.kt
+++ b/app/src/main/java/com/inou/clawdnode/security/DeviceIdentity.kt
@@ -97,10 +97,19 @@ class DeviceIdentity(context: Context) {
             ?: throw IllegalStateException("No private key available")
         val privateKeyBytes = base64UrlDecode(privateKeyBase64)
         
-        // Create EdDSA private key
+        // Create EdDSA private key from seed
         val privateKeySpec = EdDSAPrivateKeySpec(privateKeyBytes, ed25519Spec)
         val privateKey = EdDSAPrivateKey(privateKeySpec)
         
+        // Verify the derived public key matches stored public key
+        val derivedPubKey = privateKey.abyte
+        val storedPubKeyBase64 = prefs.getString(keyPublic, null)
+        val storedPubKey = storedPubKeyBase64?.let { base64UrlDecode(it) }
+        
+        Log.d(tag, "Stored pubkey:  ${storedPubKeyBase64?.take(20)}...")
+        Log.d(tag, "Derived pubkey: ${base64UrlEncode(derivedPubKey).take(20)}...")
+        Log.d(tag, "Keys match: ${derivedPubKey.contentEquals(storedPubKey)}")
+        
         // Sign the payload using standard Ed25519 (not prehashed Ed25519ph)
         val signature = EdDSAEngine().apply {
             initSign(privateKey)