Difference between revisions of "Kerberos for Windows (KfW) Build Environment"

Latest revision as of 17:30, 22 April 2026

Directions for producing an environment in which to build Kerberos for Windows version 4.2

• Install 64-bit Windows 10.

• Install Visual Studio 2017 Community.
  • Check "Desktop development with C++".
  • Check "MFC and ATL support".
  • After installing, locate the Visual Studio 2017 menu under the start menu, and pin the x64 and x86 Native Tools Command Prompt entries to the task bar for e

• Install the chocolatey package manager from https://chocolatey.org/install (by pasting the PowerShell command line into an administrative powershell). Install the following packages:

 choco install wixtoolset -y
 choco install strawberryperl -y
 choco install git -y -params '"/GitAndUnixToolsOnPath"'
 choco install emacs -y
 choco install windbg -y

• Add wix to the path.
  • search for "environment" and run "Edit the system environment variables".
  • Click "environment variables" (button at bottom)
  • click on wix, copy value.
  • click on path, click edit, click new, paste value and add "\bin".

• Choose a released version of OpenSSL (called X.Y.Z below) and build it:

 cd %homepath%
 git clone https://github.com/openssl/openssl
 cd openssl
 git checkout openssl-X.Y.Z
 perl Configure
 nmake
 nmake install
 set OPENSSL_DIR=C:\Program Files\OpenSSL
 set OPENSSL_VERSION=X

• Follow the instructions in src/windows/README to perform a build. NODEBUG can be set in the environment ("set NODEBUG=1") to avoid having to specify it on the nmake command line each time. For MIT-specific builds, also "set MIT_INTERNAL=1" or specify it on the nmake command line when building the installer.

• To sign an MSI file:
  • Connect a cryptographic token with FIPS support containing a code-signing certificate. If using VMWare Workstation, use VM > Removable Devices to pass through the token, disconnecting it from the host.
  • If it is a Yubikey token containing an ECC code-signing certificate, it may be necessary to install the YubiKey Smart Card Minidriver from https://www.yubico.com/support/download/smart-card-drivers-tools/ . Reconnect the Yubikey token after installing.
  • Verify that the certificate is visible to Windows using "certutil -store -user my".
  • Use the command:

 signtool sign /v /d "MIT Kerberos for Windows installer" /a /fd sha256 /tr http://timestamp.comodoca.com /td sha256 kfw.msi

• To obtain a code-signing certificate (these steps are for a Debian-based Linux system):
  • Obtain a cryptographic token with FIPS support. These notes assume a YubiKey 5 NFC FIPS token.
  • Install the yubikey-manager package.
  • Generate a certificate request and attestation file as follows:

 ykman piv keys generate -a ECCP384 9a publickey
   (return to use default key)
 ykman piv keys attest 9a attest.crt
 ykman piv certificates request -s "MIT Code Signing" 9a publickey csr
   (enter default PIN 123456)
 ykman piv certificates export f9 intermediate.crt
 cat attest.crt intermediate.crt | base64 > attest.b64

• • Send mail to mitcert@mit.edu . They will generate an invitation link to cert-manager.com. When filling out the form, leave the SAN email field blank. Paste the csr file and the attest.b64 file into the form.
  • After issuance, choose the "Certificate (w/ issuer after), PEM" link from the resulting email message.
  • Import the certificate with "ykman piv certificates import 9a cert.pem" (where "cert.pem" is the downloaded file).

See also https://www.sectigo.com/knowledge-base/detail/Key-Generation-and-Attestation-with-YubiKey .

More general KfW release engineering information at Kerberos for Windows Release Engineering.