My original comment about the FreePBX people not being happy was because in order to do this you only need to take about 45 seconds of your time, yet there were 52 posts before mine in which no FreePBX people were willing to help the OP do this (secure or not).
My way is not secure, at all. I’ve simply bypassed the GPG checking. This was the only way I found due to how the module signing works. I could have just edited the module.sig file with new hashes for the files I edited, but that would have broken the GPG signature. So the only way to make this happen was to make the GPG check not happen at all for the modules I edited.
I noticed that the “tamper” alerts stem from the data in the modules table in the database. A check happens everything a config is applied (the big red button) in the web gui, modules are checked, and if one fails the JSON is written to the modules table. So my code just makes the “untampered” JSON written to the table for the modules I specify.
In the below code all that’s happening is I run a check to see if the currently-being-checked module is the one that I’ve edited, and if so don’t run the signature checks, thus returning the “untampered” result. Editing this file, however, causes another tamper alert because it’s part of the “framework” module. So you’ll see in the regex that I had to exclude that as well. As I said earlier, completely not secure, but for people who have to edit modules because they don’t work how they’re supposed to, it makes FreePBX happy.
admin/libraries/BMO/GPG.class.php
150 if(!preg_match('/^(cxpanel|framework)$/',$modulename))
151 {
152
153 foreach ($module['hashes'] as $file => $hash) {
154 $dest = FreePBX::Installer()->getDestination($modulename, $file);
155 if ($dest === false) {
156 // If the file is explicitly un-checkable, ignore it.
157 continue;
158 }
159 if (!file_exists($dest)) {
160 $retarr['details'][] = $dest." "._("missing");
161 $retarr['status'] |= GPG::STATE_TAMPERED;
162 $retarr['status'] &= ~GPG::STATE_GOOD;
163 } elseif (hash_file('sha256', $dest) != $hash) {
164 // If you i18n this string, also note that it's used explicitly
165 // as a comparison of "altered" in modulefunctions.class, to
166 // warn people about bin/amportal needing to be updated
167 // with 'amportal chown'. Don't make them different!
168 $retarr['details'][] = $dest." "._("altered");
169 $retarr['status'] |= GPG::STATE_TAMPERED;
170 $retarr['status'] &= ~GPG::STATE_GOOD;
171 }
172 }
173
174 } // End bypass
The IF statement on lines 150-1 is the regular expression to not run the next block of code if the module name is either cxpanel or framework. Cxpanel is the one I edited and framework is the module that this file belongs to (you always have to exclude framework in addition to the module you’ve edited). Then just don’t forget to close the IF statement BEFORE the return at line 174.
There you go, no more tamper alerts.
For those who want to do this make sure you use the actual module name in the regex (the one listed in the modules table), not the name shown in the tamper alert in the web gui.