What is the GPG issue?

billsimon · December 12, 2019, 8:48pm

gist.github.com

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

keyservers.md

# SKS Keyserver Network Under Attack

_This work is released under a [Creative Commons Attribution-NoDerivatives 4.0 International License](http://creativecommons.org/licenses/by-nd/4.0/)._

## Terminological Note

"OpenPGP" refers to the OpenPGP protocol, in much the same way that HTML refers to the protocol that specifies how to write a web page.  "GnuPG", "SequoiaPGP", "OpenPGP.js", and others are implementations of the OpenPGP protocol in the same way that Mozilla Firefox, Google Chromium, and Microsoft Edge refer to software packages that process HTML data.

## Who am I?

This file has been truncated. show original

Looks like the key servers are useless, and the FreePBX key has been poisoned (evidenced by the failures).

So as I understand it, module signature checking can only happen against signatures that are local on the PBX. And those could get corrupted if someone gets access to your PBX via exploit, making signature checking useless.

Seems like there’s a serious problem here. Is the only mitigation at this time to disable signature checking?

(bump)