Page tree
Skip to end of metadata
Go to start of metadata

Overview

FreePBX offers the ability for modules to be signed by a developer to ensure integrity of the module, and allow automatic detection of tampering. Module signing does not certify any quality, merchantability, or fitness for purpose.

How does it work?

As the script that packages a module (part of the devtools repo) is run, it will query your local GPG keystore for keys that have been signed by FreePBX. If you have a private key signed by FreePBX, your module will be signed as part of the packaging.  If you don't have a private key that's been signed by FreePBX, your module won't be signed, and will be packaged without a signature.

Module signing is based on a hash of all files in a module, which is stored in the file module.sig, which is then clear-text signed by gpg.  As part of module loading the signature of the file is validated, and then the hash of all the files are verified. If the module.sig has been altered, or the file hashes don't match, a security alert is triggered.

Requesting a Key to be signed

Anyone may request their key to be signed by the FreePBX Master Key. The current list of requirements, excluding the Indemnification clauses that are in the Key Signing Agreement are below

  • Modules must be Open Source (GPL compatible via https://www.gnu.org/licenses/license-list.html)
  • There is no limit to the number of modules you can sign with your own key (this includes re-signing a Schmooze or FreePBX module with your own changes, as long as you're abiding by the Open Source licence)
  • Signing your own commercial module will not be supported at the moment, because as soon as there's a financial agreement in place, a pile of other new and interesting laws apply. We'll cross that bridge when we come to it, but it's going to be annoyingly difficult.

Note that there is no financial cost to you of having your key signed. We do however reserve the right to charge for key signing if, in our opinion, it is needed.

Key Revocation

FreePBX has the ability to revoke your keys signature. If your keys signature is revoked, all modules signed by that key will be disabled and will not be able to be used. We hope to never have to use this, but it's there to be able to block a module with a significant security vulnerability. We believe that this will be rarely used, if ever, but some of the reasons that it may be used could be (but aren't limited to)

  • Your key is compromised
  • Your key signed a malicious module
  • Your key signed a module with a security vulnerability that is being actively attacked and you're not responding to the issue
  • .. for any other reason we deem at the time.

That is, of course, a non-exhaustive list, but we're trying to abide by the Don't-Be-Evil mantra, and I would expect that we would always err on the side of caution.  Saying that, as signing a new key is a trivial exercise, if a key is revoked for whatever reason, unless the owner of the key is actively being evil, we would probably work with the key owner to get their modules re-signed with their new key.

More Information

This is all written around the GPG/PGP Web Of Trust which was first discussed in 1992 by Phil Zimmerman, and has been embraced by almost every other Open Source project – for example, dpkg and rpms are both signed in exactly the same way.

How do I get my GPG Key Signed by FreePBX

Follow the instructions on Requesting a Key to be Signed and email the executed agreement back to code@sangoma.com

  • No labels

4 Comments

  1. Just noticed that Module Signing now includes checks on files in /etc/asterisk including the file that controls ODBC. How will we address that when we add new ODBC features to Asterisk??

  2. wardmundy that is incorrect. It does not check files in "etc". What you are seeing is a check against a symlinked static file from a module, without knowing what specific file you are talking about I am only making assumptions.

     

    I can only assume you are talking about "cel_odbc.conf", which the defaults (symlinked from cdr) work fine. If they don't then you should be using the below listed include:

    #include cel_odbc_custom.conf

    This is how it's been since day 1.

  3. Actually I was referring to res_odbc.conf which we have used for years to set up ODBC queries. Has that now changed?? If so, what should be in res_odbc.conf and should user-specific setups be moved to res_odbc_custom.conf? Is FreePBX changing or monitoring any of the contents of the ODBC hooks in /etc, e.g. odbc.ini and odbcinst.ini?

    1. Ahh I see. res_odbc.conf has been a symlink of core since 2.11. You can add items to "#include res_odbc_custom.conf"

      Nothing has changed. The commit adding the file as a symlink is here (https://github.com/FreePBX/core/commit/3a46ffe2b942353bfe7b29ba29e4408bb07826a5) dated April 15, 2013.

      I have no idea what you've been adding to res_odbc.conf but you can put it into _custom.conf. I see no issues or problems that would cause.

      At this time ini files are distro managed.