[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #27320 [Applications/Tor Browser]: Build certutil for Windows
#27320: Build certutil for Windows
--------------------------------------+--------------------------
Reporter: JeremyRand | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-rbm | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by JeremyRand):
So when I initially wrote my draft patch, it was against the ESR52 branch.
I've just rebased against latest master branch, and it looks like ESR60
actually fixes the PE header already (certutil.exe is created as a console
application when building nightly with master branch of tor-browser-
build), so no changes are needed to force the Windows command-line tools
to run in console mode. That's a pleasant surprise.
> If you're going to add the binary to Windows, and the mar tools zip
exists on macOS, please consider adding it to macOS as well.
AFAIK the mar-tools zip is indeed created for macOS, and I agree that it
makes sense to add certutil to macOS as well. That said, I don't have a
macOS machine available, so I won't have any way to verify on my end that
the resulting binary actually works properly. I don't want to cause you
guys undue work on this, so let me know if that's a problem.
While I'm fiddling with this, there are a few other potential changes in
this area of the build script that seem relevant:
1. Currently, libnssckbi.so / nssckbi.dll isn't copied to mar-tools. This
library is only needed for a subset of certutil's functionality
(specifically, the ability for certutil to change the trust settings of
built-in certificates), and if the library is missing, such operations
fail silently rather than giving a missing library error, which I assume
is why Tor didn't realize that that library was relevant. Is it okay if I
add that library to the mar-tools zip on all 3 OS's?
2. There are 3 other NSS command-line tools already being built by Tor's
build scripts and then discarded. These are modutil, pk12util, and
shlibsign. modutil and pk12util are, like certutil, tools for interacting
with NSS databases, and are regularly used in combination with certutil.
I'm not directly familiar with shlibsign, but some quick Googling suggests
that it's a utility that's required in order to enable the FIPS-compliant
mode of the other NSS command-line tools. My inclination is to add these
binaries to mar-tools (on all 3 OS's) since users who want to use certutil
are likely to be following a workflow that needs one or more of those
other tools too. Is that okay?
3. signmar is currently, like certutil, added to mar-tools on Linux but
not other OS's. For consistency's sake I'm inclined to add it to Windows
and macOS's mar-tools as well. Is that okay?
For review, my current draft is at https://notabug.org/JeremyRand/tor-
browser-build/src/certutil (current commit hash is
b345e6128419493ef8051f2e68bd1863716f072a ). Please don't merge until the
above questions are figured out, but certainly feel free to review what I
have so far. This draft adds signmar, but does not yet add macOS
binaries, the nssckbi library, or the other NSS command-line tools.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27320#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs