cPanel & WHM versions 11.48 and later include functionality to validate that all files downloaded from cPanel are delivered in a pristine state. This avoids any possibility of corruption due to a compromise of cPanel’s mirror system or the server’s connection to cPanel & WHM systems.
The new signature verification logic requires that all assets downloaded from the
httpupdate mirrors meet either of the following criteria:
- The system directly validates the assets through separate GnuPG (GPG) signature files.
- The assets are anchored to a signed asset with cryptographically-secure checksums. For example, the cPanelSync v1 manifest files are signed directly and SHA512 hashes verify the files that the manifests reference.
The system validates assets downloaded from other cPanel systems (such as the public portion of our GPG keys) via SSL connections.
cPanel uses two primary GPG keys to sign assets delivered through our
httpupdate mirrors. The system uses "release keys" to sign all assets intended for the normal mirrors. The system uses "development keys" to sign internal development builds and builds destined for the
next.cpanel.net mirror system.
cPanel & WHM systems that track named tiers (STABLE, CURRENT, RELEASE, EDGE) or Long Term Support tiers (11.48, 11.46), only need access to the "release" keys. Systems that track experimental development builds (delivered through the
next.cpanel.net mirror system) must enable the “development” keys.
- Signature validation on assets downloaded from cPanel & WHM mirrors setting — This setting controls the types of signatures that cPanel & WHM accepts. This setting defaults to Off.
- Allow weak checksum schemes — This setting allows you to use MD5 checksums when SHA512 checksums are not available in a manifest file. We only recommend this option when your hosting provider has configured custom cPanelSync v1, cPanelSync v2, or RPM mirrors that do not use manifest file formats with SHA512 checksums.
cPanel & WHM also provides support for custom third-party cPAddons Site Software installations. By default, cPanel & WHM does not validate the security of third-party cPAddons in the same way it does for cPAddons that cPanel delivers. If you are certain that all third-party cPAddons that reside on the system system are correctly signed, you can enable signature verification via the tweak setting.
If files downloaded from the cPanel mirrors become corrupt in transit, you should see an error message that will indicate what type of failure has occurred. Most cPanel & WHM subsystems will automatically switch to a different mirror to download a valid version of the requested file.
This failure message indicates the “.asc” signature file that should accompany a download was missing on the mirror.
Error: Failed to verify signature for cpanel (key types: release): Invalid signature.
|This failure message indicates that a signature file was present and was generated by a key in the correct keyring, but the file that the signature accompanies appears to be modified.|
Error: Failed to verify signature for cpanel (key types: release): Could not find public key in keychain.
|This error indicates that a signature file was present, but that the signature was generated by a key that was not included in the currently selected keyring. You may encounter this error message if you attempt to download a build from next.cpanel.net without enabling the “Development” keyring.|
Checksum mismatch (actual: ce154dabbea49ff9ba30873964e8fd3736270ababaa35ffa574926818
|This indicates that the checksum for an unsigned file did not match the expected value and cannot be used safely.|
Signature verification failed using file from IP 10.215.217.12 and signature from IP 10.215.217.24...skipping 10.215.217.12...
|This message indicates that the file downloaded from the mirror at 10.215.217.12 and the signature downloaded from 10.215.217.24 did not validate correctly. In most cases, out of date mirrors rather than malicious tampering cause signature verification failures. cPanel's download logic attempts to download files and their matching signatures four times using different mirrors before giving up on the download.|
Failed to create gpg object: No keys found for vendor 'cpanel'
This failure message indicates that a local copy of the cPanel GPG public key file (