Using FreePBX Signed Keys
After your key has been signed by the FreePBX Master Key, you will be able to sign modules using the 'sign.php' script in the Devtools repo.
[[email protected] devtools]# ./sign.php /var/www/html/admin/modules/paging Signing /var/www/html/admin/modules/paging with 51F5B68D25155DCB Generating file list... Signing /var/www/html/admin/modules/paging/module.sig.. Done [[email protected] devtools]# ls -al /var/www/html/admin/modules/paging/module.sig -rw-r--r-- 1 root root 4625 Nov 17 12:51 /var/www/html/admin/modules/paging/module.sig
If you don't have a key signed by FreePBX, you will need to specify which key you want to use to sign the package. You may still sign your packages, but they will appear as a Warning on FreePBX as 'Invalid Key'
[[email protected] devtools]# ./sign.php /var/www/html/admin/modules/paging Wasn't able to find a valid key. Sorry [[email protected] devtools]# gpg --list-secret-keys /root/.gnupg/secring.gpg ------------------------ sec 2048R/E407B7AB 2014-11-17 [expires: 2015-11-17] uid Ed Led Ovum (Ovum.com FreePBX Module Signing Key) <[email protected]> ssb 2048R/19663421 2014-11-17 [[email protected] devtools]# ./sign.php /var/www/html/admin/modules/paging E407B7AB Signing /var/www/html/admin/modules/paging with E407B7AB Generating file list... Signing /var/www/html/admin/modules/paging/module.sig.. Done [[email protected] devtools]#
To get the fingerprint keys:
gpg --fingerprint pub 2048R/28F9D098 2018-01-28 Key fingerprint = 965F 09B9 50B5 0BD9 7BAA 0E0F 9687 8C74 28F9 D098 uid Franck Danard <[email protected]> sub 2048R/18F01234 2018-01-28
The fingerprint key will be : 96878C7428F9D098
It is expected that you tar the module directory up and distribute as normal, with the module.sig file included.
Using Local Keys
If your key is not signed by the FreePBX Master Key, you can create a system-specific signature by running sign.php with the extra parameter '--local', as below:
[[email protected] devtools]# ./sign.php /var/www/html/admin/modules/gpgtest --local 4058826678A79FC4 Installing to local signing directory Signing with 4058826678A79FC4 Generating file list... Signing /etc/freepbx.secure/gpgtest.sig.. Done Tagging module for local signing... Done [[email protected] devtools]#
Create a shortcut to sign
If you want to make a cmd line to sign your module, you can create a new file (sign) in /usr/bin/ and put this code like this:
#!/bin/sh module=$1; key=$2; /usr/src/devtools/sign.php /var/www/html/admin/modules/$module $key
Next, change privileges like this:
chmod 755 /usr/bin/sign
Next, you can use it like this.
# sign paging or # sign paging E407B7AB
Local Key Walkthrough
If you want to sign a module on your own system so it is protected against unauthorized tampering, here is an example of how to do it.
Note that these commands must be run as root on your machine.
Key Generation
Generate a key as per GPG Key Generation HowTo, or use your own key. You only need to run the 'gpg --gen-key' command, there is no need to push it out to the Web Of Trust.
Toolkit
Download the 'devtools' toolkit from Git. This contains scripts and helpers that are used to sign modules. This should be placed in /usr/src/devtools
[[email protected] /]# cd /usr/src [[email protected] src]# git clone http://git.freepbx.org/scm/freepbx/devtools.git Cloning into 'devtools'... remote: Counting objects: 11092, done. remote: Compressing objects: 100% (7144/7144), done. remote: Total 11092 (delta 4301), reused 10276 (delta 3763) Receiving objects: 100% (11092/11092), 11.69 MiB | 600.00 KiB/s, done. Resolving deltas: 100% (4301/4301), done. [[email protected] src]#
Sign the module
As this key is NOT signed by the FreePBX Development Team, the signing tool can not automatically detect which key to use. You need to specify the key on the command line.
[[email protected] ~]# /usr/src/devtools/sign.php /var/www/html/admin/modules/ponies --local 464742D0 Installing to local signing directory Signing with 464742D0 Generating file list... Signing /etc/freepbx.secure/ponies.sig.. Done Tagging module for local signing... Done [[email protected] ~#]
Complete Session walkthrough
[[email protected] ~]# gpg --gen-key gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Test Key Email address: [email protected] Comment: Test key to demonstrate local signing You selected this USER-ID: "Test Key (Test key to demonstrate local signing) <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. You don't want a passphrase - this is probably a *bad* idea! I will do it anyway. You can change your passphrase at any time, using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 464742D0 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u pub 2048R/464742D0 2016-11-29 Key fingerprint = 0F5C ACDF 5BCA 939D 68CD CAAC 1838 1192 4647 42D0 uid Test Key (Test key to demonstrate local signing) <[email protected]> sub 2048R/7E11F49B 2016-11-29 [[email protected] ~]# cd /usr/src [[email protected] src]# git clone http://git.freepbx.org/scm/freepbx/devtools.git Cloning into 'devtools'... remote: Counting objects: 11092, done. remote: Compressing objects: 100% (7144/7144), done. remote: Total 11092 (delta 4301), reused 10276 (delta 3763) Receiving objects: 100% (11092/11092), 11.69 MiB | 600.00 KiB/s, done. Resolving deltas: 100% (4301/4301), done. [[email protected] src]# devtools/sign.php /var/www/html/admin/modules/ponies --local 464742D0 Installing to local signing directory Signing with 464742D0 Generating file list... Signing /etc/freepbx.secure/ponies.sig.. Done Tagging module for local signing... Done [[email protected] src#]
As mentioned above, you must do this as root, and it will fail if you try to do this as another user. This is to ensure that non-root users can't tamper with modules that the root user has deemed safe.