Hello, recently I discovered that I cannot upgrade or install any new module in FreePBX 12.0.76.2 due to GPG verification check. I followed recommendations in similar posts, refreshing keys… etc.
Current situation is this;
running _gpg --verify (path to…)/admin/modules/cache/queues-12.0.21.tgz.gpg
I get this:
gpg: Signature made Tue 01 Mar 2016 10:07:20 PM CET using RSA key ID 69D2EAD9
gpg: Good signature from "FreePBX Mirror 1 (Module Signing - 2014/2015) <security’at’freepbx.org>"
but running amportal a ma download queues gives me:
Downloading 318769 of 318769 (100%)
The following error(s) occured:
_ - File Integrity failed for …/admin/modules/cache/queues-12.0.21.tgz.gpg - aborting (GPG Verify File check failed)
The same thing happens with upgrading framework or any other module…
I would very much like to avoid reinstalling FreePBX if possible…
Thanks!
Please check the running of this: " fwconsole ma refreshsignatures"
Allready did all this…
… chown
… refreshsignatures
… chown (again)
… reload
to no avail…
sudo -u asterisk gpg --refresh-keys --keyserver pool.sks-keyservers.net
sudo -u asterisk gpg --refresh-keys --keyserver hkp://keyserver.ubuntu.com:80
sudo -u asterisk gpg --refresh-keys --keyserver pgp.mit.edu
sudo -u asterisk gpg --refresh-keys --keyserver keyserver.pgp.comThanks Andrew,
did all this… look I have these keys in my pubring.gpg ;
pub 4096R/69D2EAD9 2014-05-05
uid FreePBX Mirror 1 (Module Signing - 2014/2015) <security’at’freepbx.org>
sub 4096R/CCEBF9CB 2014-05-05
pub 4096R/B33B4659 2014-04-30
uid FreePBX Module Signing (This is the master key to sign FreePBX Modules) <modules’at’freepbx.org>
sub 4096R/5C2FE148 2014-04-30
pub 4096R/FE6D84F7 2016-05-04
uid FreePBX Mirror 1 (Module Signing - 2016/2017) <security’at’freepbx.org>
sub 4096R/A6869B39 2016-05-04
pub 1024D/11F63C51 2002-02-28
uid Jamie Cameron <jcameron’at’webmin.com>
sub 1024g/1B24BE83 2002-02-28
can you verify these are the right keys?.. the ones for FreePBX…
Run the commands I gave you and all will be well
I did run them. The last one keyserver.pgp.com is not accessible… and still I have GPG verification failure while installing modules through amportal… while system command gpg verification gives me clean bill of health.
I’m not using distro. My setup is CentOS 6.7 with Asterisk 11.20, php 5.3.3 and FreePBX 12.
I have another machine with similar problem. I refreshed the keys with servers you suggested.
gpg file verification gives me this;
_gpg --verify /var/www/html/admin/modules/cache/ivr-12.0.1.tgz.gpg
gpg: Signature made Tue 24 Nov 2015 10:25:17 PM CET using RSA key ID 69D2EAD9
gpg: Good signature from "FreePBX Mirror 1 (Module Signing - 2014/2015) <security’at’freepbx.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
It appears that key signature is not trusted…?
Something is blocking you from getting valid keys. I’d try erasing the gpg folders and see if freepbx will fix it automatically. Unfortunately you are on freepbx 12 so there’s not a magic command to fix this.
Here’s a few other commands you can run
Try them as asterisk and as root.
Both machines are behind different ISP’s connections to net. I’m controlling the firewall so port 11371 is not blocked on outward connections, besides ubuntu keyserver is reached on port 80…
On one machine I emptied the keys and did get them from keyring servers.
Can you verify that these are the right keys;
gpg: key B33B4659: “FreePBX Module Signing (This is the master key to sign FreePBX Modules) <modules’at’freepbx.org>” not changed
gpg: key 69D2EAD9: “FreePBX Mirror 1 (Module Signing - 2014/2015) <security’at’freepbx.org>” not changed
gpg: key FE6D84F7: “FreePBX Mirror 1 (Module Signing - 2016/2017) <security’at’freepbx.org>” not changed
key B33B4659, key 69D2EAD9, key FE6D84F7 … ? 69D2EAD9 is old key 2014/2015 after reffreshing the keys I did get the new one FE6D84F7 2016/2017… validity time stamp indicates that this should be current one.
I get this…
gpg --keyserver pgp.mit.edu --recv-key 3DDB2122FE6D84F7
gpg: requesting key FE6D84F7 from hkp server pgp.mit.edu
gpg: key FE6D84F7: “FreePBX Mirror 1 (Module Signing - 2016/2017) <security’at’freepbx.org>” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
so it appears I have that key… “FE6D84F7”
Did you run that as asterisk and root? Seems as though you only did it for one user.
Unfortunately I’m unable to verify anything you are pasting since I’m not on your system.
That did the trick! Thanks Andrew. You pointed me to right direction.
It appears that during initial installation all was done as root user and initial keys were located under root user.
But at the end of installation Freepbx was switched to run under asterisk user (as per inst. guide).
Somehow everything was working fine until old keys expired.
I just don’t understand why running ‘amportal’ commands under root user is looking for gpg keys under asterisk user… but it appears to be the case… although running things through FreePBX web interface as particular web service is running under asterisk user - implies that asterisk user must have access to gpg keyring set.
Thanks again!