FYI FreePBX 12 Signature Checking

PBXEHR

Member
Joined
Sep 30, 2013
Messages
42
Reaction score
0
FreePBX reports the following modules are unsigned:

Module "AsteriDex" is unsigned and should be re-downloaded
Module "Reminders" is unsigned and should be re-downloaded
Module "ConfigEdit" is unsigned and should be re-downloaded
Module "phpMyAdmin" is unsigned and should be re-downloaded
Module "Sys Info" is unsigned and should be re-downloaded

How do I get them signed? Is there a wget to download the latest versions?

I tried downloading and installing a couple of these manually but it made Asterisk stop working so I had to restore the system back to the pre upgrade version.
 

PBXEHR

Member
Joined
Sep 30, 2013
Messages
42
Reaction score
0
Here's what's in the tutorial for anyone else that comes across this as well:

A Word About FreePBX Module Signatures

FreePBX 12 has implemented a new checksum mechanism to assure that FreePBX-developed modules are intact. As of this writing, there is not yet a procedure in place to register non-FreePBX modules and check their validity. Because Incredible PBX adds a number of unsigned modules, you will need to change Enable Module Signature Checking to False in Advanced Settings from time to time until we get this sorted out with the FreePBX Development Team. Otherwise, you will get an ugly message in System Status alerting you to the fact that a number of modules are not signed. The default Incredible PBX install has signature checking disabled. Don’t be alarmed if it changes after adding new FreePBX modules or updates. The affected Incredible PBX modules include AsteriDex, ConfigEdit, Reminders, SysInfo, and phpMyAdmin. If other modules (other than ODBC configuration files) show invalid or missing signatures, you should do some investigating promptly! Otherwise, simply disable signature checking again, and all will be well.

Looks like the Enable Module Signature Checking is all or nothing. You can't toggle it on/off per module.

If you turn it off, you won't know if other programs get hacked, so I'm going to leave it on knowing I can ignore the false warning for the above listed modules. I think that might be safer than turning it off.
 

mainenotarynet

Not really a Guru - Just a long time user
Joined
May 29, 2010
Messages
754
Reaction score
155
be careful with that also as there is a caveat:

IF you provide an email for being alerted to updates when available (on the Module Admin Page - Upper right corner), you will get emails every day alerting you to the unsigned modules weather or not any updates are available that day. This annoyed me so I'll disable sig check until its straightened out.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Thanks, lgaetz. We also included the link in the Nerd Vittles tutorial. This is actively being worked on by Rob and others. Shouldn't be too long.
 

xrobau

Guru
Joined
May 14, 2009
Messages
13
Reaction score
14
I'm back home today (yay, managed to score a business class upgrade on the way back, was SO AWESOME!) so after I catch up on things locally I'm going to work on getting the module signing infrastructure packaged up while all the legal eagles sort out the legalese that needs to be signed.

I'm 100% with lgaetz - there should never be a reason for people to be told to turn off integrity validation.

Edit: I literally couldn't even.
https://www.facebook.com/photo.php?fbid=10152729687037752
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
I'm back home today (yay, managed to score a business class upgrade on the way back, was SO AWESOME!) so after I catch up on things locally I'm going to work on getting the module signing infrastructure packaged up while all the legal eagles sort out the legalese that needs to be signed.

I'm 100% with lgaetz - there should never be a reason for people to be told to turn off integrity validation.

Ah yes, The Perfect World. Can't wait :)
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
New version of Incredible PBX 12 with FreePBX 12 signature checking and latest Asterisk 12.6.1 security fixes was released today.

 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
An anonymous user named bluebox has posted a fix to disable FreePBX 12 signature checking from the command line or as a cron job.

Using this command obviously disables signature checking so lock down your firewall first!

We'll see how long it lasts.

Code:
/var/lib/asterisk/bin/freepbx_setting SIGNATURECHECK 0
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
For those that didn't make it to law school, there is a major difference in asking someone not to sue you when you give them something for free and asking someone to give a foreign corporation veto power over your future legal defense claims while also requiring the same individual to pick up not only their own legal expenses but also all of the legal expenses of a foreign corporation to defend against third party lawsuits worldwide, frivolous or otherwise. And Sangoma wants this protection for open source modules which have been included in most FreePBX distributions for the better part of the last decade.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Wear Something Green for May Day: The Schmoozification of Sangoma

CD7IuK0W0AAzFbC.jpg:large
 

synack

Guru
Joined
Dec 31, 2013
Messages
227
Reaction score
56
I totally get they don't want to put their name to other people's crud without protecting themselves. I would too.

But seriously though... why the resistance to give the ability for people to opt-out? They asked for "alternatives", there's one. Make it a great big button that pops up "are you sure?" a couple times. Tag "(unsigned/unsupported)" next to the module in module admin. They can keep the wording as-is for those that want to officially sign the modules to have a "premium" look and feel (aka not needing to opt out). This is a linux system. anyone can install all sorts of madness on there that may be detrimental to security. Easy for them to say "unsupported" for that. Why would third party modules be any different?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
I totally get they don't want to put their name to other people's crud without protecting themselves. I would too.

But seriously though... why the resistance to give the ability for people to opt-out? They asked for "alternatives", there's one. Make it a great big button that pops up "are you sure?" a couple times. Tag "(unsigned/unsupported)" next to the module in module admin. They can keep the wording as-is for those that want to officially sign the modules to have a "premium" look and feel (aka not needing to opt out). This is a linux system. anyone can install all sorts of madness on there that may be detrimental to security. Easy for them to say "unsupported" for that. Why would third party modules be any different?


Unless they didn't want you using modules of others. :confused:
 

synack

Guru
Joined
Dec 31, 2013
Messages
227
Reaction score
56
Unless they didn't want you using modules of others. :confused:

Yeah.. They can't really prevent it, the worse they can do is to make it annoying. oh wait...
I place myself firmly in the "don't care, as it doesn't affect me" camp. I can sympathize with others however and would get behind any decision to fork. I've setup a github account to help out code if needed.
 

ostridge

Guru
Joined
Jan 22, 2015
Messages
1,618
Reaction score
517
For those that didn't make it to law school, there is a major difference in asking someone not to sue you when you give them something for free and asking someone to give a foreign corporation veto power over your future legal defense claims while also requiring the same individual to pick up not only their own legal expenses but also all of the legal expenses of a foreign corporation to defend against third party lawsuits worldwide, frivolous or otherwise. And Sangoma wants this protection for open source modules which have been included in most FreePBX distributions for the better part of the last decade.

Hi Ward. Is there nothing in us law about unfair contract terms???
 

Members online

Forum statistics

Threads
25,782
Messages
167,514
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top