Page tree
Skip to end of metadata
Go to start of metadata

Introduction

FreePBX now has an in-built signature verification system for all official modules. This is so that you, the end user, can easily tell if a module has been modified unexpectedly (such as a security vulnerability, or a malicious module).

Upgrading from 2.11 and have unsigned modules?

You may have come here because you've seen this security warning pop up, and you have a pile of unsigned modules. Don't panic! You just haven't completed the last part of the upgrade from 2.11 to 12.  You need to log in to your FreePBX server via ssh, or via the console, and run the following three commands:

amportal chown
amportal a ma refreshsignatures
amportal a reload

That will ensure that all the files have the correct permissions, re-download any modules that you have on your machine that don't have signatures. and finally click the 'Reload Now' button for you. After that, all the warnings and errors should be gone!

Overview

Module signing notices, introduced in FreePBX 12, appear as a notification bar on every module page when there are any issues detected:

You can expand these warnings by clicking the "Details" bar to get a detailed analysis of what has failed integrity checks.

Alternatively you can also close this security message with the X in the corner, which will hide the messages (until it changes). 

These notices will also show up in your dashboard and email as 'security' notices like so:

Yellow security notices are general warnings. While red security messages mean a file has been modified from how it originally came from FreePBX. 

You can disable all Invalid Signature notices in Advanced Settings by setting "Enable Module Signature Checking" to false.

However, this should never be done on a production machine, as it disables several layers of system protection. It is expected that this flag is only used on Development machines.

Types

There are 2 types of Module Signature Warnings. Their descriptions are listed below:

  • Unsigned

    • Unsigned modules are modules that have not been authorized by the FreePBX development team. They could potentially have code that could compromise your system. Trust these modules at your own risk.

  • Altered

    • Altered modules are modules that have files that have been tampered from their original release. It is recommended to redownload these modules to prevent any issues to your PBX.

Sign your own

If you would like to learn how to sign your own modules please click here: Module Signing (Integrity validation)

  • No labels

3 Comments

  1. When I enter the command "amportal a ma refreshsignatures" it gives me error as "File integrity failed" and showing for modules.
    I am also no able to upgrade my modules using the pbx in browser....
    Please someone help

     

    1. Please use the forums

  2. "fwconsole ma refreshsignatures" for those new systems...