Problem trying to sign a module : "Module has been signed with an invalid key"

(Jbaron) #1


I have tried to sign my own module with my own key, following instructions on the wiki (Requesting a Key to be Signed and Signing your own modules)

# ./sign.php /opt/freepbx/www/admin/modules/droitappels/ 
Signing with D7669362454060A6
Generating file list...
Signing /opt/freepbx/www/admin/modules/droitappels/module.sig..gpg: using "D7669362454060A6" as default secret key for signing


But I still get “Module has been signed with an invalid key” in the “Module Admin” page and dashboard.

I tried to

#fwconsole ma refreshsignatures

I tried packaging the module and reinstalling it,

I tried updating “FreePBX Framework” to version,

Also tried to change (temporarily) the keyservers hardcoded in “FreePBX Framework” to one where my key is published (hkp:// but it doesn’t change the status of my own modules.

Is there something I am missing?

(Dave Burgess) #2

Knowing how the code signing stuff works, I’d say that you answered your own question right there. IIRC, everything has to be done through the key service at Sangoma.

(Jbaron) #3

That doesn’t seem to be the problem, the original keyserver list includes hkp:// (the documentation recommends sending keys to it and refreshing keys from it) , I just removed other keyservers ( pool dot sks-keyservers dot net has some problems at the moment )

Original $keyserver list in BMO/GPG.class.php :

// List of well-known keyservers.
private $keyservers = array(
	"",  // This should almost always work
	"hkp://",  // This is in case port 11371 is blocked outbound
	"", // Other random keyservers
	"",  // Other random keyserver
); // Yes. sks is there twice

What I tried

// List of well-known keyservers.
private $keyservers = array(
	"hkp://",  // This is in case port 11371 is blocked outbound
); // Yes. sks is there twice

To be clear, none of this works.

(Jbaron) #4

Found the bug!

Line 691 in www/admin/libraries/BMO/GPG.class.php

if (isset($out['status'][2]) && preg_match('/NO_PUBKEY (.+)/', $out['status'][2], $keyarr)) {

This doesn’t work for me. However,

if (isset($out['status'][3]) && preg_match('/NO_PUBKEY (.+)/', $out['status'][3], $keyarr)) {

does work.

$out[‘status’] is the status returned by the command (only the lines that are prefixed by “[GNUPG:]”) :

#sudo -u asterisk gpg --status-fd 3 --output -  /opt/freepbx/www/admin/modules/droitappels/module.sig >

Here are the lines of interest :

[GNUPG:] ERRSIG D7669362454060A6 1 8 01 1586958176 9
[GNUPG:] NO_PUBKEY D7669362454060A6

NO_PUBKEY is in the 4th line, not the 3rd. Therefore “preg_match(’/NO_PUBKEY (.+)/’, $out[‘status’][2], $keyarr)” can never be true, and my key is never fetched from any keyserver at all.

You can see the proper way to check if the key needs to be fetched @ line 125 in www/admin/libraries/BMO/GPG.class.php :

for($i=1;$i<count($out['status']);$i++) {
    if (strpos($out['status'][$i], "[GNUPG:] NO_PUBKEY") === 0) {
        // fetch key here

There may be a problem with my version of GnuPG (2.1.18) I wonder if anyone can show me what version they have and the result of the command line above.

(Dave Burgess) #5

Did you submit a bug report?

(Matthew Fredrickson) #6

Good catch!

Saw your patch on the I’ll see if I can get someone who has some experience with that code to audit your change.

Matthew Fredrickson

(Jbaron) #7

Yep, and as @mattf mentioned, I made a patch. I don"t know if it’s good enough, but it’s a start.

(system) closed #8

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.