[tbb-bugs] #27320 [Applications/Tor Browser]: Build certutil for Windows

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 7 09:25:57 UTC 2018


#27320: Build certutil for Windows
--------------------------------------+--------------------------
 Reporter:  JeremyRand                |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-rbm                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by JeremyRand):

 So when I initially wrote my draft patch, it was against the ESR52 branch.
 I've just rebased against latest master branch, and it looks like ESR60
 actually fixes the PE header already (certutil.exe is created as a console
 application when building nightly with master branch of tor-browser-
 build), so no changes are needed to force the Windows command-line tools
 to run in console mode.  That's a pleasant surprise.

 > If you're going to add the binary to Windows, and the mar tools zip
 exists on macOS, please consider adding it to macOS as well.

 AFAIK the mar-tools zip is indeed created for macOS, and I agree that it
 makes sense to add certutil to macOS as well.  That said, I don't have a
 macOS machine available, so I won't have any way to verify on my end that
 the resulting binary actually works properly.  I don't want to cause you
 guys undue work on this, so let me know if that's a problem.

 While I'm fiddling with this, there are a few other potential changes in
 this area of the build script that seem relevant:

 1. Currently, libnssckbi.so / nssckbi.dll isn't copied to mar-tools.  This
 library is only needed for a subset of certutil's functionality
 (specifically, the ability for certutil to change the trust settings of
 built-in certificates), and if the library is missing, such operations
 fail silently rather than giving a missing library error, which I assume
 is why Tor didn't realize that that library was relevant.  Is it okay if I
 add that library to the mar-tools zip on all 3 OS's?
 2. There are 3 other NSS command-line tools already being built by Tor's
 build scripts and then discarded.  These are modutil, pk12util, and
 shlibsign.  modutil and pk12util are, like certutil, tools for interacting
 with NSS databases, and are regularly used in combination with certutil.
 I'm not directly familiar with shlibsign, but some quick Googling suggests
 that it's a utility that's required in order to enable the FIPS-compliant
 mode of the other NSS command-line tools.  My inclination is to add these
 binaries to mar-tools (on all 3 OS's) since users who want to use certutil
 are likely to be following a workflow that needs one or more of those
 other tools too.  Is that okay?
 3. signmar is currently, like certutil, added to mar-tools on Linux but
 not other OS's.  For consistency's sake I'm inclined to add it to Windows
 and macOS's mar-tools as well.  Is that okay?

 For review, my current draft is at https://notabug.org/JeremyRand/tor-
 browser-build/src/certutil (current commit hash is
 b345e6128419493ef8051f2e68bd1863716f072a ).  Please don't merge until the
 above questions are figured out, but certainly feel free to review what I
 have so far.  This draft adds signmar, but does not yet add macOS
 binaries, the nssckbi library, or the other NSS command-line tools.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27320#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list