Difference between revisions of "Kerberos for Windows (KfW) Build Environment"
From K5Wiki
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Category: Kerberos for Windows]] |
[[Category: Kerberos for Windows]] |
||
Directions for producing an environment in which to build |
Directions for producing an environment in which to build |
||
| − | Kerberos for Windows version 4 |
+ | Kerberos for Windows version 4.2 |
| − | Start with a clean Windows 7 installation (64-bit necessary?) |
||
| + | * Install 64-bit Windows 10. |
||
| − | (0) get a browser that you like/trust to validate SSL certs/etc. |
||
| + | * Install Visual Studio 2017 Community. |
||
| + | ** Check "Desktop development with C++". |
||
| + | ** Check "MFC and ATL support". |
||
| + | ** After installing, locate the Visual Studio 2017 menu under the start menu, and pin the x64 and x86 Native Tools Command Prompt entries to the task bar for e |
||
| − | (1) Install MS Visual Studio 2010 Professional |
||
| + | * Install the chocolatey package manager from https://chocolatey.org/install (by pasting the PowerShell command line into an administrative powershell). Install the following packages: |
||
| − | grab the Visual C++ 10.0 runtime for x86 and x64 |
||
| − | also the 64-bit prerequisites |
||
| − | Documentation files not necessary |
||
| − | Choose 'Visual C++ Development Settings' (probably doesn't matter) |
||
| − | You should now have an 'HTML Help Workshop' entry within |
||
| − | Program Files (x86). This will get added to the path, later. |
||
| − | (2) Install the Windows SDK version 7.1 |
||
| − | http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=8279 |
||
| − | The download is over a non-https url by default, though the installer |
||
| − | is signed by a Microsoft certificate. |
||
| − | [Select all components (add application verifier, debugging tools, |
||
| − | windows performance toolkit)] |
||
| − | Finishing the installation brings up the Help Library Manager (installer?) |
||
| − | but nothing should be necessary from that utility. |
||
| − | If you have an error mentioning "Please refer to Samples\Setup\HTML\ConfigDetails.htm" |
||
| − | then uninstall any existing Visual Studio 2010 Redistributable packages installed on |
||
| − | your system and try again. |
||
| − | (3) Install the Utilities and SDK for UNIX-based Applications (amd64 if on a 64-bit system) |
||
| − | First, enable the Windows feature "Subsystem for UNIX-based Applications" |
||
| − | from the Control Panel. (Programs [and Features] menu, "Turn on or off |
||
| − | Windows features", or similar.) |
||
| − | Then visit (also available from the All Programs menu) |
||
| − | http://www.microsoft.com/en-us/download/details.aspx?id=23754 |
||
| − | Again, this is a http-default page, and attempting to use SSL causes |
||
| − | an error due to Akamai configuration. |
||
| − | I have Version 10.0.6030.0 of the SUA, which claims to be for |
||
| − | Windows Vista RTM/Windows Vista SP1/Windows Server 2008 RTM |
||
| − | but appears to work fine on Windows 7. |
||
| − | [The standard installation gives us awk, which may be all we need?] |
||
| − | (4) Install the Windows Installer XML Toolkit |
||
| − | Tested with version 3.5; there is a 3.6 beta available as well. |
||
| − | wix.sourceforge.net --> wix.codeplex.com/releases/view/60102 |
||
| − | These default to non-SSL urls; try to get |
||
| − | https://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=wix&DownloadId=204417&FileTime=129409234222130000&Build=19194 |
||
| − | Install all components (the default setting). |
||
| − | (5) Update the system path to include some necessary utilities. |
||
| − | This is something like |
||
| − | Control Panel->System->Advanced System Settings->Environment |
||
| − | awk is in C:\Windows\SUA\bin |
||
| − | But, you will need to make a *copy* (not link) of it named awk.exe in |
||
| − | order for things to work properly. Check the permissions so that everyone |
||
| − | can read and execute it. |
||
| − | Add the directory containing hhc.exe to the path: |
||
| − | C:\Program Files (x86)\HTML Help Workshop |
||
| − | Add C:\Program Files (x86)\Windows Installer XML v3.5\bin to the path |
||
| − | to get candle.exe. |
||
| − | (6) Install a real Perl that can handle both forward-slash and backward-slash as path separators, e.g., ActivePerl or Strawberry Perl. |
||
| − | I used Strawberry Perl, since its installer was downloadable over SSL and |
||
| − | was digitally signed. |
||
| − | I have strawberry_perl-5.14.2.1-64bit.msi |
||
| − | Note that you may not have spaces in the path to the installation, so |
||
| − | it installs to c:\strawberry by default. |
||
| − | That should be enough for the build environment. |
||
| + | choco install wixtoolset -y |
||
| + | choco install strawberryperl -y |
||
| + | choco install git -y -params '"/GitAndUnixToolsOnPath"' |
||
| + | choco install emacs -y |
||
| + | choco install windbg -y |
||
| − | To actually build an installer, first get the source. If you are using git |
||
| + | * Add wix to the path. |
||
| − | to get the source, don't set it to convert the line endings to native. The |
||
| + | ** search for "environment" and run "Edit the system environment variables". |
||
| − | SUA version of awk expects the files to have unix line endings. |
||
| + | ** Click "environment variables" (button at bottom) |
||
| + | ** click on wix, copy value. |
||
| + | ** click on path, click edit, click new, paste value and add "\bin". |
||
| − | Next, fire up the Windows SDK 7.1 command prompt. |
||
| + | * Choose a released version of OpenSSL (called X.Y.Z below) and build it: |
||
| − | (0) cmd /v to get delayed expansion of variables |
||
| + | cd %homepath% |
||
| + | git clone https://github.com/openssl/openssl |
||
| + | cd openssl |
||
| + | git checkout openssl-X.Y.Z |
||
| + | perl Configure |
||
| + | nmake |
||
| + | nmake install |
||
| + | set OPENSSL_DIR=C:\Program Files\OpenSSL |
||
| + | set OPENSSL_VERSION=X |
||
| − | (1) Environment set-up |
||
| + | * Follow the instructions in src/windows/README to perform a build. NODEBUG can be set in the environment ("set NODEBUG=1") to avoid having to specify it on the nmake command line each time. For MIT-specific builds, also "set MIT_INTERNAL=1" or specify it on the nmake command line when building the installer. |
||
| − | set KRB_INSTALL_DIR=/path/to/an/obj/dir |
||
| − | [set MIT_INTERNAL=1] |
||
| − | [set NODEBUG=1] |
||
| − | \Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd /x86 [/release] |
||
| − | set CPU=i386 |
||
| − | (2) Build the 32-bit binaries |
||
| − | cd /path/to/krb5-tree/src |
||
| − | [nmake clean] |
||
| − | nmake -f Makefile.in prep-windows |
||
| − | nmake |
||
| − | nmake install |
||
| − | (3) Build 32-bit installer |
||
| − | cd windows/installer/wix |
||
| − | [nmake clean] |
||
| − | nmake |
||
| − | rename kfw.msi kfw32.msi |
||
| − | (4) 64-bit build -- NOTE: don't delete the install directory from the 32-bit build; the 32-bit DLLs are needed by the 64-bit installer |
||
| − | \Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd /x64 [/release] |
||
| − | set CPU=AMD64 |
||
| − | cd /path/to/krb5-tree/src |
||
| − | nmake clean |
||
| − | nmake -f Makefile.in prep-windows [?] |
||
| − | nmake |
||
| − | nmake install |
||
| − | (5) Build 64-bit installer |
||
| − | cd windows/installer/wix |
||
| − | nmake clean |
||
| − | nmake |
||
| − | rename kfw.msi kfw64.msi |
||
| − | Code signing |
||
| + | * To sign an MSI file: |
||
| + | ** Connect a cryptographic token with FIPS support containing a code-signing certificate. If using VMWare Workstation, use VM > Removable Devices to pass through the token, disconnecting it from the host. |
||
| + | ** If it is a Yubikey token containing an ECC code-signing certificate, it may be necessary to install the YubiKey Smart Card Minidriver from https://www.yubico.com/support/download/smart-card-drivers-tools/ . Reconnect the Yubikey token after installing. |
||
| + | ** Verify that the certificate is visible to Windows using "certutil -store -user my". |
||
| + | ** Use the command: |
||
| − | + | signtool sign /v /d "MIT Kerberos for Windows installer" /a /fd sha256 /tr http://timestamp.comodoca.com /td sha256 kfw.msi |
|
| − | Code signing with SHA256 file digest and timestamp (not required until 2017-01-01?) |
||
| + | * To obtain a code-signing certificate (these steps are for a Debian-based Linux system): |
||
| + | ** Obtain a cryptographic token with FIPS support. These notes assume a YubiKey 5 NFC FIPS token. |
||
| + | ** Install the yubikey-manager package. |
||
| + | ** Generate a certificate request and attestation file as follows: |
||
| + | ykman piv keys generate -a ECCP384 9a publickey |
||
| + | (return to use default key) |
||
| + | ykman piv keys attest 9a attest.crt |
||
| + | ykman piv certificates request -s "MIT Code Signing" 9a publickey csr |
||
| + | (enter default PIN 123456) |
||
| + | ykman piv certificates export f9 intermediate.crt |
||
| + | cat attest.crt intermediate.crt | base64 > attest.b64 |
||
| + | ** Send mail to mitcert@mit.edu . They will generate an invitation link to cert-manager.com. When filling out the form, leave the SAN email field blank. Paste the csr file and the attest.b64 file into the form. |
||
| + | ** After issuance, choose the "Certificate (w/ issuer after), PEM" link from the resulting email message. |
||
| + | ** Import the certificate with "ykman piv certificates import 9a cert.pem" (where "cert.pem" is the downloaded file). |
||
| − | signtool sign /v /a /fd sha256 /tr http://timestamp.comodoca.com /td sha256 /d kfw.msi foo.msi |
||
| + | See also https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey . |
||
| − | |||
| − | See also https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/68/7/ |
||
More general KfW release engineering information at [[Kerberos for Windows Release Engineering]]. |
More general KfW release engineering information at [[Kerberos for Windows Release Engineering]]. |
||
Latest revision as of 17:30, 22 April 2026
Directions for producing an environment in which to build Kerberos for Windows version 4.2
- Install 64-bit Windows 10.
- Install Visual Studio 2017 Community.
- Check "Desktop development with C++".
- Check "MFC and ATL support".
- After installing, locate the Visual Studio 2017 menu under the start menu, and pin the x64 and x86 Native Tools Command Prompt entries to the task bar for e
- Install the chocolatey package manager from https://chocolatey.org/install (by pasting the PowerShell command line into an administrative powershell). Install the following packages:
choco install wixtoolset -y choco install strawberryperl -y choco install git -y -params '"/GitAndUnixToolsOnPath"' choco install emacs -y choco install windbg -y
- Add wix to the path.
- search for "environment" and run "Edit the system environment variables".
- Click "environment variables" (button at bottom)
- click on wix, copy value.
- click on path, click edit, click new, paste value and add "\bin".
- Choose a released version of OpenSSL (called X.Y.Z below) and build it:
cd %homepath% git clone https://github.com/openssl/openssl cd openssl git checkout openssl-X.Y.Z perl Configure nmake nmake install set OPENSSL_DIR=C:\Program Files\OpenSSL set OPENSSL_VERSION=X
- Follow the instructions in src/windows/README to perform a build. NODEBUG can be set in the environment ("set NODEBUG=1") to avoid having to specify it on the nmake command line each time. For MIT-specific builds, also "set MIT_INTERNAL=1" or specify it on the nmake command line when building the installer.
- To sign an MSI file:
- Connect a cryptographic token with FIPS support containing a code-signing certificate. If using VMWare Workstation, use VM > Removable Devices to pass through the token, disconnecting it from the host.
- If it is a Yubikey token containing an ECC code-signing certificate, it may be necessary to install the YubiKey Smart Card Minidriver from https://www.yubico.com/support/download/smart-card-drivers-tools/ . Reconnect the Yubikey token after installing.
- Verify that the certificate is visible to Windows using "certutil -store -user my".
- Use the command:
signtool sign /v /d "MIT Kerberos for Windows installer" /a /fd sha256 /tr http://timestamp.comodoca.com /td sha256 kfw.msi
- To obtain a code-signing certificate (these steps are for a Debian-based Linux system):
- Obtain a cryptographic token with FIPS support. These notes assume a YubiKey 5 NFC FIPS token.
- Install the yubikey-manager package.
- Generate a certificate request and attestation file as follows:
ykman piv keys generate -a ECCP384 9a publickey (return to use default key) ykman piv keys attest 9a attest.crt ykman piv certificates request -s "MIT Code Signing" 9a publickey csr (enter default PIN 123456) ykman piv certificates export f9 intermediate.crt cat attest.crt intermediate.crt | base64 > attest.b64
- Send mail to mitcert@mit.edu . They will generate an invitation link to cert-manager.com. When filling out the form, leave the SAN email field blank. Paste the csr file and the attest.b64 file into the form.
- After issuance, choose the "Certificate (w/ issuer after), PEM" link from the resulting email message.
- Import the certificate with "ykman piv certificates import 9a cert.pem" (where "cert.pem" is the downloaded file).
See also https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey .
More general KfW release engineering information at Kerberos for Windows Release Engineering.
