Module Signing
Introduction
FreePBX now has an in-built signature verification system for all official modules. This is so that you, the end user, can easily tell if a module has been modified unexpectedly (such as a security vulnerability, or a malicious module).
Upgrading from 2.11 and have unsigned modules?
You may have come here because you've seen this security warning pop up, and you have a pile of unsigned modules. Don't panic! You just haven't completed the last part of the upgrade from 2.11 to 12. You need to log in to your FreePBX server via ssh, or via the console, and run the following three commands:
amportal chown
amportal a ma refreshsignatures
amportal a reload
#FWCONSOLE COMMANDS
fwconsole chown
fwconsole ma refreshsignatures
fwconsole reload |
That will ensure that all the files have the correct permissions, re-download any modules that you have on your machine that don't have signatures. and finally click the 'Reload Now' button for you. After that, all the warnings and errors should be gone!
Overview
Module signing notices, introduced in FreePBX 12, appear as a notification bar on every module page when there are any issues detected:
You can expand these warnings by clicking the "Details" bar to get a detailed analysis of what has failed integrity checks.
Alternatively you can also close this security message with the X in the corner, which will hide the messages (until it changes).
These notices will also show up in your dashboard and email as 'security' notices like so:
Yellow security notices are general warnings. While red security messages mean a file has been modified from how it originally came from FreePBX.
You can disable all Invalid Signature notices in Advanced Settings by setting "Enable Module Signature Checking" to false.
However, this should never be done on a production machine, as it disables several layers of system protection. It is expected that this flag is only used on Development machines.
Types
There are 2 types of Module Signature Warnings. Their descriptions are listed below:
Unsigned
Unsigned modules are modules that have not been authorized by the FreePBX development team. They could potentially have code that could compromise your system. Trust these modules at your own risk.
Altered
Altered modules are modules that have files that have been tampered from their original release. It is recommended to redownload these modules to prevent any issues to your PBX.
Sign your own
If you would like to learn how to sign your own modules please click here: Module Signing (Integrity validation)