FreePBX offers the ability for modules to be signed by a developer to ensure integrity of the module, and allow automatic detection of tampering. Module signing does not certify any quality, merchantability, or fitness for purpose.
How does it work?
As the script that packages a module (part of the devtools repo) is run, it will query your local GPG keystore for keys that have been signed by FreePBX. If you have a private key signed by FreePBX, your module will be signed as part of the packaging. If you don't have a private key that's been signed by FreePBX, your module won't be signed, and will be packaged without a signature.
Module signing is based on a hash of all files in a module, which is stored in the file module.sig, which is then clear-text signed by gpg. As part of module loading the signature of the file is validated, and then the hash of all the files are verified. If the module.sig has been altered, or the file hashes don't match, a security alert is triggered.
Requesting a Key to be signed
Anyone may request their key to be signed by the FreePBX Master Key. The current list of requirements, excluding the Indemnification clauses that are in the Key Signing Agreement are below
- Modules must be Open Source (GPL compatible via https://www.gnu.org/licenses/license-list.html)
- There is no limit to the number of modules you can sign with your own key (this includes re-signing a Schmooze or FreePBX module with your own changes, as long as you're abiding by the Open Source licence)
- Signing your own commercial module will not be supported at the moment, because as soon as there's a financial agreement in place, a pile of other new and interesting laws apply. We'll cross that bridge when we come to it, but it's going to be annoyingly difficult.
Note that there is no financial cost to you of having your key signed. We do however reserve the right to charge for key signing if, in our opinion, it is needed.
FreePBX has the ability to revoke your keys signature. If your keys signature is revoked, all modules signed by that key will be disabled and will not be able to be used. We hope to never have to use this, but it's there to be able to block a module with a significant security vulnerability. We believe that this will be rarely used, if ever, but some of the reasons that it may be used could be (but aren't limited to)
- Your key is compromised
- Your key signed a malicious module
- Your key signed a module with a security vulnerability that is being actively attacked and you're not responding to the issue
- .. for any other reason we deem at the time.
That is, of course, a non-exhaustive list, but we're trying to abide by the Don't-Be-Evil mantra, and I would expect that we would always err on the side of caution. Saying that, as signing a new key is a trivial exercise, if a key is revoked for whatever reason, unless the owner of the key is actively being evil, we would probably work with the key owner to get their modules re-signed with their new key.
This is all written around the GPG/PGP Web Of Trust which was first discussed in 1992 by Phil Zimmerman, and has been embraced by almost every other Open Source project – for example, dpkg and rpms are both signed in exactly the same way.
How do I get my GPG Key Signed by FreePBX