Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Generate OpenPGP Keys for Secure Package Signing on Junos OS

Learn how to use OpenPGP for secure package signing on Junos OS to ensure the authenticity and integrity of software packages.

OpenPGP Overview

OpenPGP is a widely adopted encryption standard that uses asymmetric cryptography to provide confidentiality, integrity, and non-repudiation of data. You can ensure the secure addition of customer packages by using OpenPGP. This standard facilitates self-signing and verification of the software or firmware files involved in the installation or update process on Juniper Networks devices.

You must set up a signer machine that includes a GNU Privacy Guard (GPG) installation to generate a private OpenPGP key and sign any software package.

You must keep the newly created OpenPGP key secure. Anyone who has access to the private key can sign code that can run on the customer device.

Veriexec Feature for OpenPGP

The Veriexec feature on Junos OS enforces that all software is signed by a valid authority, which is usually Juniper Networks, Inc. Customers can sign their own packages with OpenPGP (Pretty Good Privacy) to allow the package to run on Junos OS.

This section provides a step-by-step walk-through on how to use OpenPGP for veriexec, covering key generation, key installation on Junos OS devices, signing manifests, and verifying signed manifests using OpenPGP signatures.

Before generating OpenPGP keys, add the veriexec-openpgp.tgz extension to Junos OS. To add the extension, execute the command request system software add veriexec-openpgp.tgz on the Junos OS device. This command ensures that the necessary components for OpenPGP integration are installed and ready for use.

After you add the veriexec-openpgp.tgz extension, proceed with generating the OpenPGP keys in the signer machine.

Steps to Generate OpenPGP Keys

To set up secure package signing on Junos OS, follow the below steps:

  1. Generate OpenPGP keys:
    1. Open a terminal or command prompt.
    2. Execute the following command to generate an RSA keypair:
      Along with a keypair, the command generates the key ID, which will be used later for verification.
  2. Export public and private keys on the signer machine:
    1. Execute the following commands to export the public and private keys on the signer machine:


      Keep the exported private key file with the .sec.asc extension secret.

    2. Replace ACA72B4719FD2523 with the key ID obtained in step 1. These commands generate ASCII-armored versions of the public and private keys.
  3. Install the public key on Junos OS:
    1. Copy the public key file (ACA72B4719FD2523.pub.asc) to the device.
    2. Execute the following command on the device to install the public key.
      This command adds the public key to the trust store used by veriexec.
  4. Sign manifests:

    To sign manifests, you have two options depending on your requirements.

    1. Option 1: Use the signing server:

      1. Create or obtain the manifest file that needs to be signed. For example: manifest.

      2. Execute the following command to generate an OpenPGP signature for the manifest:

      3. Replace server:port with the actual signing server and port. This command signs the manifest using the OpenPGP and generates a signature file. For example: manifest.asc.

    2. Option 2: Perform self-signing using GPG on signer machine:

      1. Create or obtain the manifest file that needs to be signed. For example: manifest.

      2. Execute the following command to sign the manifest using OpenPGP and generate a signature file. For example: manifest.asc

      3. Replace server:port with the actual signing server and port. This command signs the manifest using OpenPGP and generates a signature file. For example: manifest.asc

  5. Verify signed manifests:
    1. Copy the signed manifest file, for example: manifest and manifest.asc to the Junos OS device.
    2. Open a Unix shell or command prompt on the Junos OS device.
    3. Execute the following command to verify the signed manifest:

      Replace /path/to/directory with the actual directory path where the manifest and associated files are located, and /path/to/manifest with the path to the manifest file. Veriexec will automatically verify the manifest (package) using the public key and the corresponding signature.

    By following these steps, you can leverage the veriexec-openpgp package to control the signing keys and trust anchors used by Junos OS. Use these steps to provide additional security and customization options for customer packages.