Trying to upgrade FPBX 2.11 to v12 (yes I know) I am getting file integrity error

It’s because of the signature checking and none of the links to update that work anymore. How do I get GPG signature checking working for upgrading from v2.11 to v12. It’s stuck right in the middle of the upgrade right now where it only upgraded the framework module, so my PBX is dead right now until I can get past this.

Yes I know people will recommend I upgrade to v15 and try restore a backup but that’s not an option right at this moment.

Any help would be greatly appreciated.

sudo -u asterisk gpg --keyserver hkps:// --refresh-keys
gpg: refreshing 2 keys from hkps://
gpg: requesting key B33B4659 from hkps server
gpg: requesting key 69D2EAD9 from hkps server
gpgkeys: HTTP fetch error 60: Peer certificate cannot be authenticated with known CA certificates
gpgkeys: HTTP fetch error 60: Peer certificate cannot be authenticated with known CA certificates
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

I dont think you can. You might have to do v15 and restore.

1 Like

I also tried amportal a ma refreshsignatures and that works ok checking existing signatures. Doesn’t solve this issue though.

amportal a ma refreshsignatures

Please wait...

Getting Data from Online Server...Done
Checking Signatures of Modules...
Checking backup...Good
Checking builtin...Good
Checking cdr...Good
Checking conferences...Good
Checking core...Good
Checking customappsreg...Good
Checking dashboard...Good
Checking directory...Good
Checking extensionsettings...Good
Checking featurecodeadmin...Good
Checking findmefollow...Good
Checking framework...Good
Checking fw_ari...Good
Checking infoservices...Good
Checking ivr...Good
Checking languages...Good
Checking logfiles...Good
Checking music...Good
Checking parking...Good
Checking recordings...Good
Checking ringgroups...Good
Checking sipsettings...Good
Checking sysadmin...Good
Checking timeconditions...Good
Checking vmblast...Good
Checking vmnotify...Good
Checking voicemail...Good

Well there was an issue about a year or so ago where the old PGP keys got poisoned so things had to be updated. Very possible the old PGP keys can’t be used anymore and this will stop this upgrade.

Now does `amportal ma upradeall’ still fail ?

You should be able to “locally install” after ‘gitting’ if you choose your branch carefully.

Upgradeall fails because all the modules fail the signature check upgrading from 2.11 to 12. What makes this a particularly nasty problem is that this does not affect framework module. The upgrader module first upgrades framework but then can’t upgrade anything else. Since you can’t easily downgrade framework between major versions you are now stuck in never never land. I managed to manually downgrade it back to where it was before but it was not fun.

I have never liked the signature system. Any facade that this was done in the name of security should have faded a long time ago. Hackers just found new ways around it as evidenced by recent vulnerabilities. I have never seen the signature checking prevent a hack but I have had it cause all sorts of other problems like this. So it causes more problems then it has ever prevented, at least for me. Any ‘solution’ that does that is no solution at all imo.

If the signature system was truly done in the name of security, and not just for business reasons, then it should have been scrapped a long time ago.

Please cite evidence that hackers have gotten around the signature system.

Also, you are complaining within the context of upgrading an ancient version to another ancient version.


fwconsole set SIGNATURECHECK 0

help ?

Sure, here you go.

Non technical people (99% of users) don’t care what version it is as long as it works and old versions still work just fine. I personally prefer the old non-tab theme over the one that was added in v13.

Security is not a problem on old systems because I add my own security at a lower level. Lower level security is far more effective than anything application layer security is capable of doing anyways.

Then you don’t understand the point of the signature system. It doesn’t somehow magically guarantee that modules don’t have any bugs. It tells you whether someone has tampered with your modules.

You asked for evidence and I gave it to you. Now you seem to be trying to change the subject and talk down to me some more. I am just trying to solve the problem because that’s what I do.

I am not changing the subject. You haven’t provided any evidence that the signature system was circumvented, which was what I asked.

Frankly I’m not trying to help. Just turn off the signature system and carry on. I’m addressing your rant about the uselessness of the signature system. Which you don’t understand anyway.

If you think turning off the signature system solves the problem then you do not understand it as well as I do. Trying to twist what I said about it into something else is not helpful.

So what’s your process for upgrading?

Did you try downloading the v12 tarball ( and running the installer, telling it your existing db and asterisk manager credentials? That’s probably the direction I would take in your situation. The tarball has 13 modules in it (14 if you include framework). I don’t know whether you would have to delete your existing /var/www/html/admin path before running the installer or not.

When you’re making this statement you need to be a little more specific on the users. You mean the end users of your PBX deployment? Because then I’ll bite on the 99% of users claim. However, when talking about FreePBX and the Adming GUI the only users would be those with administrative access. I’m not biting on 99% of them being non-technical.

Additionally, while your statement is mainly true (most don’t care what version as long as it works) there is also a follow up to that statement. They don’t care until things start to break when they actually try to do something more. Then they care a great deal to the point they get overly defensive about never updating for almost a decade when asking for help.

Now as I have pointed out before there was an issue with GPG a few years back, bigger than just FreePBX.

This one is from 2016
GPG Verify File check failed - FreePBX - FreePBX Community Forums

This one is from 2019
What is the GPG issue? - FreePBX / Security - FreePBX Community Forums

There are quite a few threads from 2019 and older about the issues with GPG and older keys being poisoned. All of this was handle at the time it was an actual issue and resolutions where current for it. Now that more time has based and there have been various updates to OSes and other levels of software on those systems. The solutions that worked 3-4 years ago might not work now.

The easiest and the most efficient solution to this is to backup your current PBX, install v15 and then restore your backup to it. I have yet to see an actual valid reason as to why this is not the approach being taken thus far.

So there is a lot of back and forth that frankly tl;dr

My recommendation would be to do a backup and restore to a clean copy of 15.

Typically development including security and bug fixes are for the current and previous version so 15 and 16. You could be sitting on a ton of bugs and security issues running software that old that frankly aren’t going to be fixed because they were addressed in a later release. It has been about 10 years, time to update.

1 Like

Any explanation why I am not doing that does not get me any closer to solving my immediate problem. I know that as soon as I bring up feature creep and bloat (among other reasons) on newer versions that will take the discussion off on another tangent. I also don’t need lectures on optimizing the LAMP stack and removing features to try get the memory usage down. I have done more than my fair share of that.

Well you are in the wrong decade for getting support on FreePBX 12, but if that’s the version you most prefer, you should probably fork it and maintain it to your own liking. And learn how to support it on your own. Good luck.

OK. Well you’re going along an unsupported route as of right now. 2.11 to v12 was supported almost a decade ago. Your immediate problem is that GPG keys that were used a decade ago have been poisoned and you cannot use them for signature checks or other checks. As previously stated you would need to turn all this off. If you have done that and you are still having issues then you need to be specific about what you have done/tried and what has not worked and the results. Maybe someone can help with this.

If bloat and whatever is your issue then don’t use the distro. Do a manual install and only install the things you need. Of course if you have any commercial modules, this won’t be an option.

Again, you are doing something that is no longer supported. This is going to require anyone helping you to go back almost a decade and remember the pitfalls of this upgrade and then have to get around a GPG issue that used to exist with older versions but doesn’t anymore.

Or someone well versed to do it for you which won’t be “free”

There is no automated update path here, it has to be done manually.

1 Like