Page tree
Skip to end of metadata
Go to start of metadata

Overview

cPanel & WHM versions 11.48 and later include functionality to validate that all files downloaded from cPanel are delivered in a pristine state. This avoids any possibility of corruption due to a compromise of cPanel’s mirror system or the server’s connection to cPanel & WHM systems.

The new signature verification logic requires that all assets downloaded from the httpupdate mirrors meet either of the following criteria:

  • The system directly validates the assets through separate GnuPG (GPG) signature files. 
  • The assets are anchored to a signed asset with cryptographically-secure checksums. For example, the cPanelSync v1 manifest files are signed directly and SHA512 hashes verify the files that the manifests reference.

The system validates assets downloaded from other cPanel systems (such as the public portion of our GPG keys) via SSL connections.

GPG Keys

cPanel uses two primary GPG keys to sign assets delivered through our httpupdate mirrors. The system uses "release keys" to sign all assets intended for the normal mirrors. The system uses "development keys" to sign internal development builds and builds destined for the next.cpanel.net mirror system.

cPanel & WHM systems that track named tiers (STABLE, CURRENT, RELEASE, EDGE) or Long Term Support tiers (11.48, 11.46), only need access to the "release" keys. Systems that track experimental development builds (delivered through the next.cpanel.net mirror system) must enable the “development” keys.

Controls

The Security section of WHM's Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings) contains the following settings:

  • Signature validation on assets downloaded from cPanel & WHM mirrors setting — This setting controls the types of signatures that cPanel & WHM accepts. This setting defaults to Off
  • Allow weak checksum schemes — This setting allows you to use MD5 checksums when SHA512 checksums are not available in a manifest file. We only recommend this option when your hosting provider has configured custom cPanelSync v1, cPanelSync v2, or RPM mirrors that do not use manifest file formats with SHA512 checksums.

cPanel & WHM also provides support for custom third-party cPAddons Site Software installations.  By default, cPanel & WHM does not validate the security of third-party cPAddons in the same way it does for cPAddons that cPanel delivers. If you are certain that all third-party cPAddons that reside on the system system are correctly signed, you can enable signature verification via the tweak setting.


Failure Messages

If files downloaded from the cPanel mirrors become corrupt in transit, you should see an error message that will indicate what type of failure has occurred. Most cPanel & WHM subsystems will automatically switch to a different mirror to download a valid version of the requested file. 

Error MessageMeaning
Requesting script ... Failed to download signature for URL ' http://httpupdate.cpanel.net/autofixer2/test' .

This failure message indicates the “.asc” signature file that should accompany a download was missing on the mirror.


Error: Failed to verify signature for cpanel (key types: release): Invalid signature.

This failure message indicates that a signature file was present and was generated by a key in the correct keyring, but the file that the signature accompanies appears to be modified.
Error: Failed to verify signature for cpanel (key types: release): Could not find public key in keychain.
This error indicates that a signature file was present, but that the signature was generated by a key that was not included in the currently selected keyring. You may encounter this error message if you attempt to download a build from next.cpanel.net  without enabling the “Development” keyring.

Checksum mismatch (actual: ce154dabbea49ff9ba30873964e8fd3736270ababaa35ffa574926818
e9667f890fdbd3c3a04a54f5e12a009c0250b750cdcde1ed6888e4a8bac2749534ce56e)
(expected: 3778908211e79f4c384ab707d6ce4f34b274bd997158fe9f33ffb2afd50f8e77
920813134447245cfa54a47b945fadb639006fc4db3f9188137d00cf12ecefb0)

This indicates that the checksum for an unsigned file did not match the expected value and cannot be used safely.

Signature verification failed using file from IP 10.215.217.12 and signature from IP 10.215.217.24...skipping 10.215.217.12...

This message indicates that the file downloaded from the mirror at 10.215.217.12 and the signature downloaded from 10.215.217.24 did not validate correctly. In most cases, out of date mirrors rather than malicious tampering cause signature verification failures. cPanel's download logic attempts to download files and their matching signatures four times using different mirrors before giving up on the download.

Failed to create gpg object: No keys found for vendor 'cpanel'

This failure message indicates that a local copy of the cPanel GPG public key file (cPanelPublicKey.asc) does not exist on the server. The system downloads these keys from  https://securedownloads.cpanel.net/ during the nightly update process. You can manually download a cPanel GPG key update with the /usr/local/cpanel/scripts/updatesigningkey script.

Additional documentation