Signing your own modules

1 Using FreePBX Signed Keys
2 Using Local Keys
3 Create a shortcut to sign
4 Local Key Walkthrough
- 4.1 Key Generation
- 4.2 Toolkit
- 4.3 Sign the module
5 Complete Session walkthrough

Using FreePBX Signed Keys

After your key has been signed by the FreePBX Master Key, you will be able to sign modules using the 'sign.php' script in the Devtools repo.

[root@localhost devtools]# ./sign.php /var/www/html/admin/modules/paging
Signing /var/www/html/admin/modules/paging with 51F5B68D25155DCB
        Generating file list...
        Signing /var/www/html/admin/modules/paging/module.sig..
Done
[root@localhost devtools]# ls -al /var/www/html/admin/modules/paging/module.sig
-rw-r--r-- 1 root root 4625 Nov 17 12:51 /var/www/html/admin/modules/paging/module.sig

If you don't have a key signed by FreePBX, you will need to specify which key you want to use to sign the package. You may still sign your packages, but they will appear as a Warning on FreePBX as 'Invalid Key'

[root@localhost devtools]# ./sign.php /var/www/html/admin/modules/paging
Wasn't able to find a valid key. Sorry
[root@localhost devtools]# gpg --list-secret-keys
/root/.gnupg/secring.gpg
------------------------
sec   2048R/E407B7AB 2014-11-17 [expires: 2015-11-17]
uid                  Ed Led Ovum (Ovum.com FreePBX Module Signing Key) <edled@ovum.com>
ssb   2048R/19663421 2014-11-17
[root@localhost devtools]# ./sign.php /var/www/html/admin/modules/paging E407B7AB
Signing /var/www/html/admin/modules/paging with E407B7AB
        Generating file list...
        Signing /var/www/html/admin/modules/paging/module.sig..
Done
[root@localhost devtools]#

To get the fingerprint keys:

gpg --fingerprint
pub   2048R/28F9D098 2018-01-28
      Key fingerprint = 965F 09B9 50B5 0BD9 7BAA  0E0F 9687 8C74 28F9 D098
uid                  Franck Danard <fdanard@sangoma.com>
sub   2048R/18F01234 2018-01-28

The fingerprint key will be : 96878C7428F9D098

It is expected that you tar the module directory up and distribute as normal, with the module.sig file included.

Using Local Keys

If your key is not signed by the FreePBX Master Key, you can create a system-specific signature by running sign.php with the extra parameter '--local', as below:

Create a shortcut to sign

If you want to make a cmd line to sign your module, you can create a new file (sign) in /usr/bin/ and put this code like this:

Next, change privileges like this:

Next, you can use it like this.

Local Key Walkthrough

If you want to sign a module on your own system so it is protected against unauthorized tampering, here is an example of how to do it.

Note that these commands must be run as root on your machine.

Key Generation

Generate a key as per GPG Key Generation HowTo, or use your own key. You only need to run the 'gpg --gen-key' command, there is no need to push it out to the Web Of Trust.

Toolkit

Download the 'devtools' toolkit from Git. This contains scripts and helpers that are used to sign modules. This should be placed in /usr/src/devtools

Sign the module

As this key is NOT signed by the FreePBX Development Team, the signing tool can not automatically detect which key to use. You need to specify the key on the command line.

Complete Session walkthrough

As mentioned above, you must do this as root, and it will fail if you try to do this as another user. This is to ensure that non-root users can't tamper with modules that the root user has deemed safe.

FreePBX Open Source