Signing your own modules

1 Using FreePBX Signed Keys
2 Using Local Keys
3 Create a shortcut to sign
4 Local Key Walkthrough
- 4.1 Key Generation
- 4.2 Toolkit
- 4.3 Sign the module
5 Complete Session walkthrough

Using FreePBX Signed Keys

After your key has been signed by the FreePBX Master Key, you will be able to sign modules using the 'sign.php' script in the Devtools repo.

[root@localhost devtools]# ./sign.php /var/www/html/admin/modules/paging
Signing /var/www/html/admin/modules/paging with 51F5B68D25155DCB
        Generating file list...
        Signing /var/www/html/admin/modules/paging/module.sig..
Done
[root@localhost devtools]# ls -al /var/www/html/admin/modules/paging/module.sig
-rw-r--r-- 1 root root 4625 Nov 17 12:51 /var/www/html/admin/modules/paging/module.sig

If you don't have a key signed by FreePBX, you will need to specify which key you want to use to sign the package. You may still sign your packages, but they will appear as a Warning on FreePBX as 'Invalid Key'

[root@localhost devtools]# ./sign.php /var/www/html/admin/modules/paging
Wasn't able to find a valid key. Sorry
[root@localhost devtools]# gpg --list-secret-keys
/root/.gnupg/secring.gpg
------------------------
sec   2048R/E407B7AB 2014-11-17 [expires: 2015-11-17]
uid                  Ed Led Ovum (Ovum.com FreePBX Module Signing Key) <edled@ovum.com>
ssb   2048R/19663421 2014-11-17
[root@localhost devtools]# ./sign.php /var/www/html/admin/modules/paging E407B7AB
Signing /var/www/html/admin/modules/paging with E407B7AB
        Generating file list...
        Signing /var/www/html/admin/modules/paging/module.sig..
Done
[root@localhost devtools]#

To get the fingerprint keys:

gpg --fingerprint
pub   2048R/28F9D098 2018-01-28
      Key fingerprint = 965F 09B9 50B5 0BD9 7BAA  0E0F 9687 8C74 28F9 D098
uid                  Franck Danard <fdanard@sangoma.com>
sub   2048R/18F01234 2018-01-28

The fingerprint key will be : 96878C7428F9D098

It is expected that you tar the module directory up and distribute as normal, with the module.sig file included.

Using Local Keys

If your key is not signed by the FreePBX Master Key, you can create a system-specific signature by running sign.php with the extra parameter '--local', as below:

[root@localhost devtools]# ./sign.php /var/www/html/admin/modules/gpgtest --local 4058826678A79FC4
Installing to local signing directory
Signing with 4058826678A79FC4
    Generating file list...
    Signing /etc/freepbx.secure/gpgtest.sig..
Done
Tagging module for local signing...
Done
[root@localhost devtools]#

Create a shortcut to sign

If you want to make a cmd line to sign your module, you can create a new file (sign) in /usr/bin/ and put this code like this:

#!/bin/sh
module=$1;
key=$2;
 
/usr/src/devtools/sign.php /var/www/html/admin/modules/$module $key

Next, change privileges like this:

chmod 755 /usr/bin/sign

Next, you can use it like this.

# sign paging
 
or
 
# sign paging E407B7AB

Local Key Walkthrough

If you want to sign a module on your own system so it is protected against unauthorized tampering, here is an example of how to do it.

Note that these commands must be run as root on your machine.

Key Generation

Generate a key as per GPG Key Generation HowTo, or use your own key. You only need to run the 'gpg --gen-key' command, there is no need to push it out to the Web Of Trust.

Toolkit

Download the 'devtools' toolkit from http://github.com/FreePBX/devtools. This contains scripts and helpers that are used to sign modules. This should be placed in /usr/src/devtools

[root@sng7 /]# cd /usr/src
[root@sng7 src]# git clone https://github.com/FreePBX/devtools
Cloning into 'devtools'...
remote: Counting objects: 11092, done.
remote: Compressing objects: 100% (7144/7144), done.
remote: Total 11092 (delta 4301), reused 10276 (delta 3763)
Receiving objects: 100% (11092/11092), 11.69 MiB | 600.00 KiB/s, done.
Resolving deltas: 100% (4301/4301), done.
[root@sng7 src]#

Sign the module

As this key is NOT signed by the FreePBX Development Team, the signing tool can not automatically detect which key to use. You need to specify the key on the command line.

[root@sng7 ~]# /usr/src/devtools/sign.php /var/www/html/admin/modules/ponies --local 464742D0
Installing to local signing directory
Signing with 464742D0
        Generating file list...
        Signing /etc/freepbx.secure/ponies.sig..
Done
Tagging module for local signing...
Done
[root@sng7 ~#]

Complete Session walkthrough

[root@sng7 ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Test Key
Email address: test@example.com
Comment: Test key to demonstrate local signing
You selected this USER-ID:
    "Test Key (Test key to demonstrate local signing) <test@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 464742D0 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   2048R/464742D0 2016-11-29
      Key fingerprint = 0F5C ACDF 5BCA 939D 68CD  CAAC 1838 1192 4647 42D0
uid                  Test Key (Test key to demonstrate local signing) <test@example.com>
sub   2048R/7E11F49B 2016-11-29
[root@sng7 ~]# cd /usr/src
[root@sng7 src]# git clone http://github.com/FreePBX
Cloning into 'devtools'...
remote: Counting objects: 11092, done.
remote: Compressing objects: 100% (7144/7144), done.
remote: Total 11092 (delta 4301), reused 10276 (delta 3763)
Receiving objects: 100% (11092/11092), 11.69 MiB | 600.00 KiB/s, done.
Resolving deltas: 100% (4301/4301), done.
[root@sng7 src]# devtools/sign.php /var/www/html/admin/modules/ponies --local 464742D0
Installing to local signing directory
Signing with 464742D0
        Generating file list...
        Signing /etc/freepbx.secure/ponies.sig..
Done
Tagging module for local signing...
Done
[root@sng7 src#]

As mentioned above, you must do this as root, and it will fail if you try to do this as another user. This is to ensure that non-root users can't tamper with modules that the root user has deemed safe.