Problem trying to sign a module : "Module has been signed with an invalid key"

jbaron · April 15, 2020, 1:59pm

Hello,

I have tried to sign my own module with my own key, following instructions on the wiki (Requesting a Key to be Signed and Signing your own modules)

# ./sign.php /opt/freepbx/www/admin/modules/droitappels/ 
Signing with D7669362454060A6
Generating file list...
Signing /opt/freepbx/www/admin/modules/droitappels/module.sig..gpg: using "D7669362454060A6" as default secret key for signing

Done
#

But I still get “Module has been signed with an invalid key” in the “Module Admin” page and dashboard.

I tried to

#fwconsole ma refreshsignatures

I tried packaging the module and reinstalling it,

I tried updating “FreePBX Framework” to version 15.0.16.49,

Also tried to change (temporarily) the keyservers hardcoded in “FreePBX Framework” to one where my key is published (hkp://keyserver.ubuntu.com:80) but it doesn’t change the status of my own modules.

Is there something I am missing?

cynjut · April 15, 2020, 7:33pm

Knowing how the code signing stuff works, I’d say that you answered your own question right there. IIRC, everything has to be done through the key service at Sangoma.

jbaron · April 16, 2020, 7:03am

That doesn’t seem to be the problem, the original keyserver list includes hkp://keyserver.ubuntu.com:80 (the documentation recommends sending keys to it and refreshing keys from it) , I just removed other keyservers ( pool dot sks-keyservers dot net has some problems at the moment )

Original $keyserver list in BMO/GPG.class.php :

// List of well-known keyservers.
private $keyservers = array(
	"pool.sks-keyservers.net",  // This should almost always work
	"hkp://keyserver.ubuntu.com:80",  // This is in case port 11371 is blocked outbound
	"pgp.mit.edu", // Other random keyservers
	"keyserver.pgp.com",  // Other random keyserver
	"pool.sks-keyservers.net"
); // Yes. sks is there twice

What I tried

// List of well-known keyservers.
private $keyservers = array(
	"hkp://keyserver.ubuntu.com:80",  // This is in case port 11371 is blocked outbound
); // Yes. sks is there twice

To be clear, none of this works.

jbaron · April 16, 2020, 9:20am

Found the bug!

Line 691 in www/admin/libraries/BMO/GPG.class.php

if (isset($out['status'][2]) && preg_match('/NO_PUBKEY (.+)/', $out['status'][2], $keyarr)) {

This doesn’t work for me. However,

if (isset($out['status'][3]) && preg_match('/NO_PUBKEY (.+)/', $out['status'][3], $keyarr)) {

does work.

$out[‘status’] is the status returned by the command (only the lines that are prefixed by “[GNUPG:]”) :

#sudo -u asterisk gpg --status-fd 3 --output -  /opt/freepbx/www/admin/modules/droitappels/module.sig >

Here are the lines of interest :

[GNUPG:] PLAINTEXT 74 0
[GNUPG:] NEWSIG
[GNUPG:] ERRSIG D7669362454060A6 1 8 01 1586958176 9
[GNUPG:] NO_PUBKEY D7669362454060A6

NO_PUBKEY is in the 4th line, not the 3rd. Therefore “preg_match(’/NO_PUBKEY (.+)/’, $out[‘status’][2], $keyarr)” can never be true, and my key is never fetched from any keyserver at all.

You can see the proper way to check if the key needs to be fetched @ line 125 in www/admin/libraries/BMO/GPG.class.php :

for($i=1;$i<count($out['status']);$i++) {
    if (strpos($out['status'][$i], "[GNUPG:] NO_PUBKEY") === 0) {
        // fetch key here
    }
}

There may be a problem with my version of GnuPG (2.1.18) I wonder if anyone can show me what version they have and the result of the command line above.

cynjut · April 16, 2020, 4:01pm

Did you submit a bug report?

mattf · April 16, 2020, 8:24pm

Good catch!

Saw your patch on the git.freepbx.org. I’ll see if I can get someone who has some experience with that code to audit your change.

Matthew Fredrickson

jbaron · April 17, 2020, 6:34am

Yep, and as @mattf mentioned, I made a patch. I don"t know if it’s good enough, but it’s a start.

system · April 24, 2020, 6:34am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.