diff --git a/VPS-SSH-KEY-SETUP.md b/VPS-SSH-KEY-SETUP.md
index cbe22d7..3e7d60d 100644
--- a/VPS-SSH-KEY-SETUP.md
+++ b/VPS-SSH-KEY-SETUP.md
@@ -250,6 +250,52 @@ systemctl --user restart ssh-agent
 source ~/.bashrc
 ```
 
+**"identity_sign: private key contents do not match public"**
+
+This critical error means the public key on Gitea doesn't match your private key.
+
+```bash
+# Generate correct public key from your private key
+ssh-keygen -y -f ~/.ssh/id_ed25519 > /tmp/correct-public-key.pub
+
+# Show it
+cat /tmp/correct-public-key.pub
+```
+
+Copy the output (starts with `ssh-ed25519 AAAA...`), then:
+1. Go to http://100.120.125.113:3000/user/settings/keys
+2. Delete the old/wrong key
+3. Add the correct public key you just generated
+4. Test: `ssh -T git@100.120.125.113`
+
+**Full diagnostic for key mismatch:**
+
+```bash
+#!/bin/bash
+echo "=== SSH Key Mismatch Diagnostic ==="
+
+# Generate what public key SHOULD be
+ssh-keygen -y -f ~/.ssh/id_ed25519 > /tmp/derived-public-key.pub
+
+echo "=== CORRECT Public Key (copy this to Gitea) ==="
+cat /tmp/derived-public-key.pub
+echo ""
+
+echo "=== Key Fingerprint ==="
+ssh-keygen -lf ~/.ssh/id_ed25519
+
+# Compare with stored public key if exists
+if [ -f ~/.ssh/id_ed25519.pub ]; then
+    if diff ~/.ssh/id_ed25519.pub /tmp/derived-public-key.pub > /dev/null; then
+        echo "✓ Stored .pub file matches private key"
+    else
+        echo "✗ Stored .pub file WRONG - delete it and use derived key above"
+    fi
+fi
+```
+
+Save the diagnostic as `~/fix-key-mismatch.sh`, run it, and upload the shown public key to Gitea.
+
 ## After SSH Works
 
 Now you can clone from Gitea without passwords: