I am trying to locally sign a third-party module for FreePBX to get rid of the “Unsigned Module(s)” banner at the top of the Dashboard page. I tried following the steps in the Signing your own modules - FreePBX OpenSource Project - Documentation wiki and some help from the Cannot locally sign module thread, but now I am faced with a “Security Warning” banner that states that the module is signed with an invalid key.
During the GPG key creation, I did not specify a passphrase, was this something I was supposed to do?
[[email protected] ~]# gpg --gen-key gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: IPBX Email address: [email protected] Comment: Key generated for the sccp_manager module You selected this USER-ID: "IPBX (Key generated for the sccp_manager module) <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. You don't want a passphrase - this is probably a *bad* idea! I will do it anyway. You can change your passphrase at any time, using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 02F24BDD marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/02F24BDD 2023-03-22 Key fingerprint = 1D47 08A9 194B E5A5 C3E2 E7A7 87A0 A873 8FD0 9BFF uid IPBX (Key generated for the sccp_manager module) <[email protected]> sub 2048R/0287E1C2 2023-03-22
And during the signing process I noticed that there was an error trying to read some public key, is this something I should worry about?
[[email protected] modules]# cd /usr/src [[email protected] src]# devtools/sign.php /var/www/html/admin/modules/sccp_manager --local 02F24BDD gpg: error reading key: No public key gpg: requesting key 755231A3 from hkp server keyserver.ubuntu.com gpg: key 755231A3: public key "FreePBX Mirror Servers <[email protected]>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) Installing to local signing directory Signing with 02F24BDD Generating file list... Signing /etc/freepbx.secure/sccp_manager.sig.. Done Tagging module for local signing... Done
I also ran this to add the FreePBX Module Signing key to see if it would help, but no luck:
gpg --import /var/www/html/admin/libraries/BMO/9F9169F4B33B4659.key
Also, according to the FreePBX wiki, and not that this might be relevant to local module signing, but the keys.gnupg.net server does not exist anymore due to some GDPR issue. With that in mind, I did modify my
/root/.gnupg/gpg.conf file to point to
keyserver hkp://keyserver.ubuntu.com:80 in the meantime.
What am I doing wrong? Can I get this to work? And if I can’t, how can I get FreePBX to stop looking for a signature for this module and go back to the “Unsigned Module(s)” banner at the top of the Dashboard page instead of the “Security Warning” banner?
This was on a fresh install of FreePBX 16, Sangoma Linux 7.8, and Asterisk 18 from the distro install iso SNG7-PBX16-64bit-2302-1.iso.