Module Signature Issue

@tonyclewis @theJames What can be done so my module (and future ones) doesn’t throw an error when using the TangoPBX framework module?

1 Like

AFAIK using the clearly repo fixes this

You need to be on the ClearlyIP repos in order to get Tango/ClearlyIP modules to work on a FreePBX system and not throw invalid signature errors. That is because Sangoma won’t sign against the ClearlyIP signing key.

My signing key has been signed against Sangoma and exists in their repo/systems as a valid signature key. ClearlyIP doesn’t seem to have access since they can’t see my key as valid. I’m sure there’s a way to solve this.

Tom

We only add our key to framework. The Sangoma key is there also so your module should not show any issues if it’s signed by a key that Sangoma Signed.

@theJames any ideas here as that does not make sense to me it would be giving an error.

1 Like

Well on both my FreePBX v17 that I switched to the ClearlyIP repos to install Framework and Openpage and my pure TangoPBX distro install…I get this:

Running refreshsignatures gets this:

Checking Signatures of Modules...
Checking advcallspy...
Signature Invalid
        Could not find signed module on remote server!

So from what I can tell the issue here is you haven’t given opengpg permission to expose the uid of your key. This means the key has no UID and gpg can’t/won’t import it… there is suppose to be a flag to ignore uid --allow-non-selfsigned-uid but it doesn’t seem to work. If you adjust your keys permissions with opengpg it should be able to be imported and validated.


    Publishing requires double opt-in validation, to prove ownership of the email address in question.
    Addresses are searchable by exact email address, but not by associated name.
    Enumeration of addresses is not possible.
    Deletion of addresses is possible via simple proof of ownership in an automated fashion, similar to publication, using the “manage“ tool. To unlist an address where this isn't possible, write to support at keys dot openpgp dot org.

This data is never handed collectively (“as a dump“) to third parties. 

From Here.

For reference what the module does then parses the response

root@tango:~# sudo -u asterisk /usr/bin/gpg --homedir /var/lib/asterisk/.gnupg --output - '/var/www/html/admin/modules/advcallspy/module.sig'
gpg: WARNING: unsafe permissions on homedir '/var/lib/asterisk/.gnupg'
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
;################################################
;#        FreePBX Module Signature File         #
;################################################
;# Do not alter the contents of this file!  If  #
;# this file is tampered with, the module will  #
;# fail validation and be marked as invalid!    #
;################################################

[config]
version=2
hash=sha256
signedwith=749665F512DB3A86B9E78E043CC3677FBEC27EFF
signedby=sign.php
repo=manual
type=public
[hashes]
Advcallspy.class.php = ed84cd1dbed4e8bb71fe87fca1daef4d5afc6995b5de7799e170879c635f53ba
Backup.php = 0fbb04634a731ddf389cec75808afc230fb647078f5007f6d5ac345848a2606b
LICENSE = 75834a24bfdb7ebd0539cd9fc497ebc7583f624521fc48dc606c78db2f2b949d
Restore.php = 2fcf13765727b6ea0b705aebb9703f333e6ce96c4499893ca169f6e8f7f2b7dc
assets/css/advcallspy.css = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
assets/js/advcallspy.js = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
functions.inc.php = 2fbb69ed4098bd7d34e855b8a4d04dd4fafdc56511faddc75cdcfa1feaec3b3c
install.php = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
module.xml = c23f01619931828a249dbcf2221cf7fb0b903a04f2d641976860384b0dec2e48
page.advcallspy.php = 034739d28290ed5aa658a383da86ea4b6f755e6f137623dee8d79219ad3fbc5e
page.spygroups.php = 026f88ab614aa7392f4be74452eee1d7e2f2f0b0eb88d48f91e80f4cc7ea10df
uninstall.php = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
views/spycodes/form.php = 0ba5fca585bfe861ab6d74081e82e1c0982d2fe4f23a9bfbc90e7fe897cf8356
views/spycodes/grid.php = 835876e713410d33e273c34941d6b650774cdc4aa5cb2bc3642292c98b088916
views/spycodes/rnav.php = 0b4d82a7fbc37f68c576fb81917f8e486dfd04c2c8b5fbcb30a9c4f9ca563161
views/spygroups/form.php = dae2efabcfc136ff63a5c28fff20fcabcb7d240389ec6b3d688fcf5ca4170a4e
views/spygroups/grid.php = 98b35a26e8c6fdb44a5aaee1dbc44cff8b1290c4fa40127d10cc48f458de5f1c
views/spygroups/rnav.php = 632f4343d0c0fbd25651823a98be06916ad6be2075bbb2715c4af26dcde6d807
;# End
gpg: Signature made Fri Jun  6 17:15:28 2025 UTC
gpg:                using RSA key 749665F512DB3A86B9E78E043CC3677FBEC27EFF
gpg: Can't check signature: No public key
1 Like

Yeah, that was the step I was missing. I put it up and now when I do a refreshsignatures it shows good. It shows that it is valid signature in Module Admin. Still getting the big old red banner on my dashboard for both my module and Bill’s SMS connector but the same thing. Module Admin shows everything valid, the module signatures look fine through fwconsole just that the dashboard throws the warning error even have a restart and reboot.