Is Locally-Signed Modules Working?

I am trying to locally sign a third-party module for FreePBX to get rid of the “Unsigned Module(s)” banner at the top of the Dashboard page. I tried following the steps in the Signing your own modules - FreePBX OpenSource Project - Documentation wiki and some help from the Cannot locally sign module thread, but now I am faced with a “Security Warning” banner that states that the module is signed with an invalid key.

During the GPG key creation, I did not specify a passphrase, was this something I was supposed to do?

[root@IPBX ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: IPBX
Email address: [email protected]
Comment: Key generated for the sccp_manager module
You selected this USER-ID:
    "IPBX (Key generated for the sccp_manager module) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 02F24BDD marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/02F24BDD 2023-03-22
      Key fingerprint = 1D47 08A9 194B E5A5 C3E2  E7A7 87A0 A873 8FD0 9BFF
uid                  IPBX (Key generated for the sccp_manager module) <[email protected]>
sub   2048R/0287E1C2 2023-03-22

And during the signing process I noticed that there was an error trying to read some public key, is this something I should worry about?

[root@IPBX modules]# cd /usr/src
[root@IPBX src]# devtools/sign.php /var/www/html/admin/modules/sccp_manager --local 02F24BDD
gpg: error reading key: No public key
gpg: requesting key 755231A3 from hkp server keyserver.ubuntu.com
gpg: key 755231A3: public key "FreePBX Mirror Servers <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
Installing to local signing directory
Signing with 02F24BDD
        Generating file list...
        Signing /etc/freepbx.secure/sccp_manager.sig..
Done
Tagging module for local signing...
Done

I also ran this to add the FreePBX Module Signing key to see if it would help, but no luck:

gpg --import /var/www/html/admin/libraries/BMO/9F9169F4B33B4659.key

Also, according to the FreePBX wiki, and not that this might be relevant to local module signing, but the keys.gnupg.net server does not exist anymore due to some GDPR issue. With that in mind, I did modify my /root/.gnupg/gpg.conf file to point to keyserver hkp://keyserver.ubuntu.com:80 in the meantime.

What am I doing wrong? Can I get this to work? And if I can’t, how can I get FreePBX to stop looking for a signature for this module and go back to the “Unsigned Module(s)” banner at the top of the Dashboard page instead of the “Security Warning” banner?

This was on a fresh install of FreePBX 16, Sangoma Linux 7.8, and Asterisk 18 from the distro install iso SNG7-PBX16-64bit-2302-1.iso.

Anyone?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.