3rd party module signature checking is broken again

Migrating a bunch of boxes from 13 to 16 and am once again facing issues with our modules’ signatures.

fwconsole ma refreshsignatures reports the signatures are good:

Checking restart...

My key is in the asterisk user’s keychain, and it’s been signed by both new and old FreePBX keys. But the dashboard reports errors:

Module “Bulk Phone Restart” signed by an invalid key.
Module: “Bulk Phone Restart”, File: “module.sig check failed! Signed by unknown, untrusted key.”

What’s the story? Am I really the only one signing my own modules out there? Things keep breaking…

Ok solved my own problem again. Even though the key is shown as signed by FreePBX on the keyserver’s web interface, the output from gpg --check-sigs wasn’t showing this.

With the help of this Security Stack Exchange answer I created /var/lib/asterisk/.gnupg/gpg.conf with this content:

keyserver-options no-self-sigs-only,no-import-clean

And all is now working as expected.