p_lindheimer: [W]e understand the desire to have “a single use single machine” key. If we knew how to do this securely, we would. We’ve been laboring over a solution since we started signing. “Code submissions are welcome” … if there’s someone out there who has a solution to evaluate, we’d love to hear it.
In another thread that was closed, the Lead Developer questioned whether it was possible to have individually-generated, tamper-proof signed modules by outside developers or end users. It’s not only possible. It’s easy. (1) Create an SHA1 checksum for each module; (2) create a Linux directory in which the root user has write privileges and the asterisk user has read privileges; (3) in this new directory, store the checksum for each module to be signed in a separate file with root having write privileges and asterisk having read privileges; and (4) validate the checksum for the new module within FreePBX by separately calculating the SHA1 checksum for the modules and comparing those calculations with the values stored in the read-only files in the protected directory.