Module Signing

Owned by Nathaniel Halbrooks
Last updated: Dec 12, 2023 by Lorne Gaetz (Unlicensed)
3 min read

Introduction

FreePBX now has an in-built signature verification system for all official modules. This is so that you, the end user, can easily tell if a module has been modified unexpectedly (such as a security vulnerability, or a malicious module).

Upgrading from 2.11 and have unsigned modules?

You may have come here because you've seen this security warning pop up, and you have a pile of unsigned modules. Don't panic! You just haven't completed the last part of the upgrade from 2.11 to 12.  You need to log in to your FreePBX server via ssh, or via the console, and run the following three commands:

amportal chown amportal a ma refreshsignatures amportal a reload     #FWCONSOLE COMMANDS     fwconsole chown fwconsole ma refreshsignatures fwconsole reload

That will ensure that all the files have the correct permissions, re-download any modules that you have on your machine that don't have signatures. and finally click the 'Reload Now' button for you. After that, all the warnings and errors should be gone!

Overview

Module signing notices, introduced in FreePBX 12, appear as a notification bar on every module page when there are any issues detected:

 

You can expand these warnings by clicking the "Details" bar to get a detailed analysis of what has failed integrity checks.

Alternatively you can also close this security message with the X in the corner, which will hide the messages (until it changes). 

These notices will also show up in your dashboard and email as 'security' notices like so:

 

Yellow security notices are general warnings. While red security messages mean a file has been modified from how it originally came from FreePBX. 

 

You can disable all Invalid Signature notices in Advanced Settings by setting "Enable Module Signature Checking" to false.

However, this should never be done on a production machine, as it disables several layers of system protection. It is expected that this flag is only used on Development machines.

Types

There are 2 types of Module Signature Warnings. Their descriptions are listed below:

  • Unsigned

    • Unsigned modules are modules that have not been authorized by the FreePBX development team. They could potentially have code that could compromise your system. Trust these modules at your own risk.

  • Altered

    • Altered modules are modules that have files that have been tampered from their original release. It is recommended to redownload these modules to prevent any issues to your PBX.

Sign your own

If you would like to learn how to sign your own modules please click here: Module Signing (Integrity validation)

Return to Documentation Home I Return to Sangoma Support