Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

OpenPGP

To facilitate the secure addition of customer packages, OpenPGP (Pretty Good Privacy) can be utilized for self-signing and verifying the software or firmware files involved in the installation or update process on Juniper devices. OpenPGP is a widely adopted encryption standard that uses asymmetric cryptography to provide confidentiality, integrity, and non-repudiation of data.

Note:

A signer machine will be needed that has an installation of GPG to generate the private key and to sign the package.

The OpenPGP key created should be kept secure. Anyone who has access the private key would be able to sign code that can run on the customer device.

The Veriexec feature on Junos OS enforces that all software is signed by a valid authority, which is usually Juniper Networks, Inc. Customers can sign their own packages with OpenPGP (Pretty Good Privacy) to allow the package to run on Junos OS.

Note:

Currently, the OpenPGP feature is supported only on Junos OS.

This section provides a step-by-step walkthrough on how to utilize OpenPGP for veriexec, covering key generation, key installation on Junos devices, signing manifests, and verifying signed manifests using OpenPGP signatures.

Before generating OpenPGP keys, add the veriexec-openpgp.tgz extension to Junos. To add the extension, execute the command request system software add veriexec-openpgp.tgz on the Junos device. This command ensures the installation of the necessary components for OpenPGP integration, making them ready for use.

Once the veriexec-openpgp.tgz extension has been added, we can proceed with generating the OpenPGP keys in the signer machnine.

  1. Generate OpenPGP Keys:
    1. Open a terminal or command prompt.
    2. Execute the following command to generate an RSA key pair:
    3. This will generate a key pair and display the key ID, which will be used later for verification.

  2. Export Public and Private Keys on the signer machine:
    1. Execute the following commands to export the public and private keys on the signer machine:

      Note:

      Keep the exported private key file with the ".sec.asc" extension secret.
    2. Replace ACA72B4719FD2523 with the key ID obtained in step 1.
    3. These commands will generate ASCII-armored versions of the public and private keys.

  3. Install Public Key on Junos:
    1. Copy the public key file (ACA72B4719FD2523.pub.asc) to the Junos device.
    2. Execute the following command on the Junos device to install the public key.
    3. This adds the public key to the trust store used by veriexec.
  4. Sign manifests:

    To sign manifests, you have two options depending on your requirements.

    • Option 1: Utilize the signing server

      If you have access to the signing server, follow these steps:

      • Create or obtain the manifest file that needs to be signed (e.g., manifest).

      • Execute the following command to generate and OpenPGP signature for the manifest:

      • Replace server:port with the actual signing server and port.

      • This command signs the manifest using the OpenPGP and generates a signature file (manifest.asc)

    • Option 2: Perform self-signing using GPG on signer machine

      If you prefer to self-sign using GPG, follow these steps:

      • Create or obtain the manifest file that needs to be signed (e.g., manifest).

      • Execute the following command to sign the manifest using OpenPGP and generate a signature file (manifest.asc):

      • Replace server:port with the actual signing server and port.

      • This command signs the manifest using the OpenPGP and generates a signature file (manifest.asc)

  5. Verify signed manifests:
    1. Copy the signed manifest file (manifest and manifest.asc) to the Junos device.
    2. Open a Unix shell or command prompt on the Junos device.
    3. Execute the following command to verify the signed manifest:
      Note:

      Replace /path/to/directory with the actual directory path where the manifest and associated files are located, and /path/to/manifest with the path to the manifest file.
    4. Veriexec will automatically verify the manifest (package) using the public key and the corresponding signature.

    By following these steps, you can leverage the veriexec-openpgp package to control the signing keys and trust anchors used by Junos, providing additional security and customization options for customer packages.