Child pages
  • Download Security
Skip to end of metadata
Go to start of metadata

Overview

cPanel & WHM versions 11.48 and later include functionality to validate that all files downloaded from cPanel are delivered in a pristine state. This avoids any possibility of corruption due to a compromise of cPanel’s mirror system or tampering with the server’s connection to cPanel’s systems.

The new signature verification logic requires that all assets downloaded from the httpupdate mirrors are either directly validated through separate GPG signature files, or anchored to a signed asset using cryptographically secure checksums. For instance, the cPanelSync v1 manifest files are signed directly and the files referenced by the manifests are verified through SHA512 hashes.

Assets downloaded from other cPanel systems (such as the public portion of our GPG keys) are validated through SSL connections.

GPG Keys

cPanel uses two primary GPG keys to sign assets delivered through our httpupdate mirrors. “Release" keys are used to sign all assets intended for the normal mirrors. “Development” keys are used to sign internal development builds and builds destined for the “next.cpanel.net” mirror system.

cPanel & WHM systems that track named tiers (STABLE, CURRENT, RELEASE, EDGE) or LTS tiers (11.48, 11.46), only need access to the “Release” keyring. Systems that track experimental development builds (delivered through next.cpanel.net) must enable the “Development” keyring.

Controls

WHM's Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings) contains new settings to control the types of signatures that cPanel & WHM will accept. This setting is listed in the Security tab as "Signature validation on assets downloaded from cPanel & WHM mirrors” with a default of “Off.” 

cPanel & WHM also provides support for custom third-party cPAddons Site Software installations.  By default, cPanel & WHM does not validate the security of third-party cPAddons in the same way it does for cPAddons delivered by cPanel. If you are certain that all third-party cPAddons used on the system are correctly signed, you can enable signature verification using the "Verify signatures of 3rdparty cPaddons” tweak setting. 

Finally, cPanel & WHM provides an "Allow weak checksum schemes" tweak setting that allows MD5 checksums to be used as a fallback when SHA512 checksums are not available in a manifest file downloaded from a mirror. This setting is not recommended for most users. Software provided by cPanel will always use strong checksums in manifests. This option is only recommended when a hosting provider has configured custom cPanelSync v1, cPanelSync v2, or RPM mirrors that have not been updated to use manifest file formats with SHA512 checksums.

Failure Messages

If files downloaded from the cPanel mirrors become corrupt in transit, you should see an error message that will indicate what type of failure has occurred. Most cPanel & WHM subsystems will automatically switch to a different mirror to download a valid version of the requested file. 

Error MessageMeaning
Requesting script ... Failed to download signature for URL 'http://httpupdate.cpanel.net/autofixer2/test'.

This failure message indicates the “.asc” signature file that should accompany a download was missing on the mirror.


Error: Failed to verify signature for cpanel (key types: release): Invalid signature.

This failure message indicates that a signature file was present and was generated by a key in the correct keyring, but the file that the signature accompanies appears to be modified.
Error: Failed to verify signature for cpanel (key types: release): Could not find public key in keychain.
This error indicates that a signature file was present, but that the signature was generated by a key that was not included in the currently selected keyring. You may encounter this error message if you attempt to download a build from next.cpanel.net without enabling the “Development” keyring.

Checksum mismatch (actual: ce154dabbea49ff9ba30873964e8fd3736270ababaa35ffa574926818e9667f890fdbd3c3a04a54f5e12a009c0250b750cdcde1ed6888e4a8bac2749534ce56e) (expected: 3778908211e79f4c384ab707d6ce4f34b274bd997158fe9f33ffb2afd50f8e77920813134447245cfa54a47b945fadb639006fc4db3f9188137d00cf12ecefb0)

This indicates that the checksum for an unsigned file did not match the expected value and cannot be used safely.

Signature verification failed using file from IP 10.215.217.12 and signature from IP 10.215.217.24...skipping 10.215.217.12...

This message indicates that the file downloaded from the mirror at 10.215.217.12 and the signature downloaded from 10.215.217.24 did not validate correctly. In most cases, out of date mirrors rather than malicious tampering cause signature verification failures. cPanel's download logic attempts to download files and their matching signatures four times using different mirrors before giving up on the download.

Failed to create gpg object: No keys found for vendor 'cpanel'

This failure message indicates that a local copy of the cPanel GPG public key file (cPanelPublicKey.asc) does not exist on the server. The system downloads these keys from https://securedownloads.cpanel.net/ during the nightly update process. You can manually download a cPanel GPG key update with the /usr/local/cpanel/scripts/updatesigningkey script.

Additional documentation