Problem trying to sign a module : "Module has been signed with an invalid key"


I have tried to sign my own module with my own key, following instructions on the wiki (Requesting a Key to be Signed and Signing your own modules)

# ./sign.php /opt/freepbx/www/admin/modules/droitappels/ 
Signing with D7669362454060A6
Generating file list...
Signing /opt/freepbx/www/admin/modules/droitappels/module.sig..gpg: using "D7669362454060A6" as default secret key for signing


But I still get “Module has been signed with an invalid key” in the “Module Admin” page and dashboard.

I tried to

#fwconsole ma refreshsignatures

I tried packaging the module and reinstalling it,

I tried updating “FreePBX Framework” to version,

Also tried to change (temporarily) the keyservers hardcoded in “FreePBX Framework” to one where my key is published (hkp:// but it doesn’t change the status of my own modules.

Is there something I am missing?

Knowing how the code signing stuff works, I’d say that you answered your own question right there. IIRC, everything has to be done through the key service at Sangoma.

That doesn’t seem to be the problem, the original keyserver list includes hkp:// (the documentation recommends sending keys to it and refreshing keys from it) , I just removed other keyservers ( pool dot sks-keyservers dot net has some problems at the moment )

Original $keyserver list in BMO/GPG.class.php :

// List of well-known keyservers.
private $keyservers = array(
	"",  // This should almost always work
	"hkp://",  // This is in case port 11371 is blocked outbound
	"", // Other random keyservers
	"",  // Other random keyserver
); // Yes. sks is there twice

What I tried

// List of well-known keyservers.
private $keyservers = array(
	"hkp://",  // This is in case port 11371 is blocked outbound
); // Yes. sks is there twice

To be clear, none of this works.

Found the bug!

Line 691 in www/admin/libraries/BMO/GPG.class.php

if (isset($out['status'][2]) && preg_match('/NO_PUBKEY (.+)/', $out['status'][2], $keyarr)) {

This doesn’t work for me. However,

if (isset($out['status'][3]) && preg_match('/NO_PUBKEY (.+)/', $out['status'][3], $keyarr)) {

does work.

$out[‘status’] is the status returned by the command (only the lines that are prefixed by “[GNUPG:]”) :

#sudo -u asterisk gpg --status-fd 3 --output -  /opt/freepbx/www/admin/modules/droitappels/module.sig >

Here are the lines of interest :

[GNUPG:] ERRSIG D7669362454060A6 1 8 01 1586958176 9
[GNUPG:] NO_PUBKEY D7669362454060A6

NO_PUBKEY is in the 4th line, not the 3rd. Therefore “preg_match(’/NO_PUBKEY (.+)/’, $out[‘status’][2], $keyarr)” can never be true, and my key is never fetched from any keyserver at all.

You can see the proper way to check if the key needs to be fetched @ line 125 in www/admin/libraries/BMO/GPG.class.php :

for($i=1;$i<count($out['status']);$i++) {
    if (strpos($out['status'][$i], "[GNUPG:] NO_PUBKEY") === 0) {
        // fetch key here

There may be a problem with my version of GnuPG (2.1.18) I wonder if anyone can show me what version they have and the result of the command line above.


Did you submit a bug report?

Good catch!

Saw your patch on the I’ll see if I can get someone who has some experience with that code to audit your change.

Matthew Fredrickson

Yep, and as @mattf mentioned, I made a patch. I don"t know if it’s good enough, but it’s a start.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.