Cannot locally sign module

Hello,

I’ve built a FreePBX module that I wish to sign.

Since it’s a commercial module, I cannot sign with the FreePBX Master Key, according to this page:
https://wiki.freepbx.org/display/FOP/Signing+your+own+modules

Because of that, I’m attempting to sign my module with a local key instead. I’ve followed the instructions listed on that page under ** Complete Session walkthrough**, but FreePBX displays this error in the admin panel: “Module “My Module Name” signed by an invalid key.”

The output of the sign.php utility is this:

[[email protected] .gnupg]# /root/devtools/sign.php /var/www/html/admin/modules/mymodulename --local 4902C636CB141B70
gpg: checking the trustdb
gpg: public key of ultimately trusted key CB141B70 not found
gpg: public key of ultimately trusted key 023E6129 not found
gpg: public key of ultimately trusted key D0A48C05 not found
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: error reading key: No public key
gpg: requesting key B33B4659 from hkp server keys.gnupg.net
gpg: packet(13) too large
gpg: read_block: read error: Invalid packet
gpg: Total number processed: 0
gpg: no valid OpenPGP data found.
Installing to local signing directory
Signing with 4902C636CB141B70
        Generating file list...
        Signing /etc/freepbx.secure/mymodulename.sig..gpg: no default secret key: N                                                                     o secret key
gpg: [stdin]: clearsign failed: No secret key

Done
Tagging module for local signing...gpg: no default secret key: No secret key
gpg: [stdin]: clearsign failed: No secret key

Done

What am I doing wrong?

Thank you for your time.

That’s unfortunately due to an attack on the FreePBX key - you should be able to skip that by importing the key manually:

# gpg --import /var/www/html/admin/libraries/BMO/9F9169F4B33B4659.key
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B33B4659: public key "FreePBX Module Signing (This is the master key to sign FreePBX Modules) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: no ultimately trusted keys found
#

Edit: If that works, please tell me and I’ll update the wiki.

2 Likes

Thanks, that removed the packet error from the output.

I just generated a new key afterward and signed my module with that:

[[email protected] ~]# /root/devtools/sign.php /var/www/html/admin/modules/mymodulename --local F81ED4F9
Installing to local signing directory
Signing with F81ED4F9
        Generating file list...
        Signing /etc/freepbx.secure/mymodulename.sig..
Done
Tagging module for local signing...
Done
[[email protected] ~]#

No error messages in that output now, but unfortunately, the FreePBX web interface is still showing that my module is signed with an invalid key:

Module “My Module Name” signed by an invalid key.

Am I missing a step? Is it necessary to send my signing key to you guys before my key is valid? My understanding from the wiki is that I cannot do that since my module is a commercial module and not open source.

Nope, that should be it. The signing testing is part of the unit tests of Framework, so it shouldn’t EVER break!

Try running a reload, at a guess? (fwconsole reload). Also this looks wrong

Signing /etc/freepbx.secure/mymodulename.sig..gpg:

Can you please paste exactly the output, without censoring anything?

fwconsole reload didn’t help unfortunately.

Here is the exact output:

[[email protected] ~]# /root/devtools/sign.php /var/www/html/admin/modules/callhelper --local F81ED4F9
Installing to local signing directory
Signing with F81ED4F9
        Generating file list...
        Signing /etc/freepbx.secure/callhelper.sig..
Done
Tagging module for local signing...
Done
[[email protected] ~]#

and

Module “Call Helper” signed by an invalid key.

Well. it SHOULD work. Check the contents of the file and make sure it looks similar to the normal .sig files, I guess?

The only other thing I notice is that you’re not running sign.php from inside devtools, like the instructions say. I’m not sure that’s relevant, but please follow the instructions exactly. Are you running it on a FreePBX Distro machine?

Edit:

As in, do this:

# cd /root/devools
# ./sign.php /var/www/html/admin/modules/callhelper --local F81ED4F9

That’s the last way I did it last time I signed a local module, and it worked fine for me.

Edit 2: Are you sure there isn’t a /var/www/html/admin/modules/callhelper/module.sig file there already? That takes precedence over the root-owned local stuff.

I’m running this on a CentOS 7 installation with FreePBX installed, not the FreePBX distro

Edit 2: Are you sure there isn’t a /var/www/html/admin/modules/callhelper/module.sig file there already? That takes precedence over the root-owned local stuff.

That might be part of it, I might have had an old module.sig from another module in there (copied and pasted the directory contents when I made the new module, using an old module as a template).

I just deleted the module.sig from /var/www/html/admin/modules/callhelper, and ran the sign utility again (from /root/devtools as you suggested), and rebooted. It looks like the signing utility put my newly-created module.sig in the /var/www/html/admin/modules/callhelper directory, and now we’re back to square one with the “Invalid key” message. Hmmmm…

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.