Difference between revisions of "Kerberos for Windows (KfW) Build Environment"
From K5Wiki
| (2 intermediate revisions by the same user not shown) | |||
| Line 19: | Line 19: | ||
* Add wix to the path. |
* Add wix to the path. |
||
| − | ** search for |
+ | ** search for "environment" and run "Edit the system environment variables". |
| − | ** |
+ | ** Click "environment variables" (button at bottom) |
| − | ** environment variables (button at bottom) |
||
** click on wix, copy value. |
** click on wix, copy value. |
||
** click on path, click edit, click new, paste value and add "\bin". |
** click on path, click edit, click new, paste value and add "\bin". |
||
| ⚫ | Follow the instructions in src/windows/README to perform a build. NODEBUG can be set in the environment ("set NODEBUG=1") to avoid having to specify it on the nmake command line each time. For MIT-specific builds, also "set MIT_INTERNAL=1" or specify it on the nmake command line when building the installer. |
||
| + | * Choose a released version of OpenSSL (called X.Y.Z below) and build it: |
||
| − | Code signing: |
||
| + | cd %homepath% |
||
| + | git clone https://github.com/openssl/openssl |
||
| + | cd openssl |
||
| + | git checkout openssl-X.Y.Z |
||
| + | perl Configure |
||
| + | nmake |
||
| + | nmake install |
||
| + | set OPENSSL_DIR=C:\Program Files\OpenSSL |
||
| + | set OPENSSL_VERSION=X |
||
| ⚫ | |||
| ⚫ | * Follow the instructions in src/windows/README to perform a build. NODEBUG can be set in the environment ("set NODEBUG=1") to avoid having to specify it on the nmake command line each time. For MIT-specific builds, also "set MIT_INTERNAL=1" or specify it on the nmake command line when building the installer. |
||
| − | See also https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/68/7/ |
||
| + | * To sign an MSI file: |
||
| + | ** Connect a cryptographic token with FIPS support containing a code-signing certificate. If using VMWare Workstation, use VM > Removable Devices to pass through the token, disconnecting it from the host. |
||
| + | ** If it is a Yubikey token containing an ECC code-signing certificate, it may be necessary to install the YubiKey Smart Card Minidriver from https://www.yubico.com/support/download/smart-card-drivers-tools/ . Reconnect the Yubikey token after installing. |
||
| + | ** Verify that the certificate is visible to Windows using "certutil -store -user my". |
||
| + | ** Use the command: |
||
| + | |||
| ⚫ | |||
| + | |||
| + | * To obtain a code-signing certificate (these steps are for a Debian-based Linux system): |
||
| + | ** Obtain a cryptographic token with FIPS support. These notes assume a YubiKey 5 NFC FIPS token. |
||
| + | ** Install the yubikey-manager package. |
||
| + | ** Generate a certificate request and attestation file as follows: |
||
| + | ykman piv keys generate -a ECCP384 9a publickey |
||
| + | (return to use default key) |
||
| + | ykman piv keys attest 9a attest.crt |
||
| + | ykman piv certificates request -s "MIT Code Signing" 9a publickey csr |
||
| + | (enter default PIN 123456) |
||
| + | ykman piv certificates export f9 intermediate.crt |
||
| + | cat attest.crt intermediate.crt | base64 > attest.b64 |
||
| + | ** Send mail to mitcert@mit.edu . They will generate an invitation link to cert-manager.com. When filling out the form, leave the SAN email field blank. Paste the csr file and the attest.b64 file into the form. |
||
| + | ** After issuance, choose the "Certificate (w/ issuer after), PEM" link from the resulting email message. |
||
| + | ** Import the certificate with "ykman piv certificates import 9a cert.pem" (where "cert.pem" is the downloaded file). |
||
| + | |||
| + | See also https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey . |
||
More general KfW release engineering information at [[Kerberos for Windows Release Engineering]]. |
More general KfW release engineering information at [[Kerberos for Windows Release Engineering]]. |
||
Latest revision as of 17:30, 22 April 2026
Directions for producing an environment in which to build Kerberos for Windows version 4.2
- Install 64-bit Windows 10.
- Install Visual Studio 2017 Community.
- Check "Desktop development with C++".
- Check "MFC and ATL support".
- After installing, locate the Visual Studio 2017 menu under the start menu, and pin the x64 and x86 Native Tools Command Prompt entries to the task bar for e
- Install the chocolatey package manager from https://chocolatey.org/install (by pasting the PowerShell command line into an administrative powershell). Install the following packages:
choco install wixtoolset -y choco install strawberryperl -y choco install git -y -params '"/GitAndUnixToolsOnPath"' choco install emacs -y choco install windbg -y
- Add wix to the path.
- search for "environment" and run "Edit the system environment variables".
- Click "environment variables" (button at bottom)
- click on wix, copy value.
- click on path, click edit, click new, paste value and add "\bin".
- Choose a released version of OpenSSL (called X.Y.Z below) and build it:
cd %homepath% git clone https://github.com/openssl/openssl cd openssl git checkout openssl-X.Y.Z perl Configure nmake nmake install set OPENSSL_DIR=C:\Program Files\OpenSSL set OPENSSL_VERSION=X
- Follow the instructions in src/windows/README to perform a build. NODEBUG can be set in the environment ("set NODEBUG=1") to avoid having to specify it on the nmake command line each time. For MIT-specific builds, also "set MIT_INTERNAL=1" or specify it on the nmake command line when building the installer.
- To sign an MSI file:
- Connect a cryptographic token with FIPS support containing a code-signing certificate. If using VMWare Workstation, use VM > Removable Devices to pass through the token, disconnecting it from the host.
- If it is a Yubikey token containing an ECC code-signing certificate, it may be necessary to install the YubiKey Smart Card Minidriver from https://www.yubico.com/support/download/smart-card-drivers-tools/ . Reconnect the Yubikey token after installing.
- Verify that the certificate is visible to Windows using "certutil -store -user my".
- Use the command:
signtool sign /v /d "MIT Kerberos for Windows installer" /a /fd sha256 /tr http://timestamp.comodoca.com /td sha256 kfw.msi
- To obtain a code-signing certificate (these steps are for a Debian-based Linux system):
- Obtain a cryptographic token with FIPS support. These notes assume a YubiKey 5 NFC FIPS token.
- Install the yubikey-manager package.
- Generate a certificate request and attestation file as follows:
ykman piv keys generate -a ECCP384 9a publickey (return to use default key) ykman piv keys attest 9a attest.crt ykman piv certificates request -s "MIT Code Signing" 9a publickey csr (enter default PIN 123456) ykman piv certificates export f9 intermediate.crt cat attest.crt intermediate.crt | base64 > attest.b64
- Send mail to mitcert@mit.edu . They will generate an invitation link to cert-manager.com. When filling out the form, leave the SAN email field blank. Paste the csr file and the attest.b64 file into the form.
- After issuance, choose the "Certificate (w/ issuer after), PEM" link from the resulting email message.
- Import the certificate with "ykman piv certificates import 9a cert.pem" (where "cert.pem" is the downloaded file).
See also https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey .
More general KfW release engineering information at Kerberos for Windows Release Engineering.
