Build Moonshot from source on macOS (with macOS Identity Selector) - Obsolete
- Stefan Paetow
- Alex Perez Mendez
This page is obsolete. Please, use Build Moonshot from source on macOS (with macOS Identity Selector) instead
The Moonshot source code is available from our GIT repository and it all can be built by hand relatively easily, assuming you have all of the prerequisite packages installed. This page has instructions for building the software itself.
Contents
macOS versions
These instructions have been tested on macOS 10.12 Sierra and later.
1. System Preparation
1.1. Requirements
To build all of the Moonshot components, you need various packages installed. To install all of these, see below.
1.1.1. Get Xcode for macOS
To get all of the requirements on your macOS platform, you will need to install Xcode and the Xcode command-line extensions:
Install Xcode from the Mac App Store.
Open a Terminal, then install the Xcode Command Line Tools. You will be prompted with a dialog to install the Command Line Tools after a 130MB download.
$ xcode-select --install
If you have never launched Xcode before, do so at least once, or run the following command in your Terminal window.
$ sudo xcodebuild -license
1.1.2. Install the GNU tools for macOS
You will need to install several GNU tools:
Install GNU m4:
$ curl -OL https://ftp.gnu.org/gnu/m4/m4-1.4.18.tar.xz $ tar xf m4-1.4.18.tar.xz $ cd m4-* m4-1.4.18 $ ./configure m4-1.4.18 $ make && sudo make install && cd ..
Install GNU Autoconf:
$ curl -OL http://ftpmirror.gnu.org/autoconf/autoconf-2.69.tar.gz $ tar xfz autoconf-2.69.tar.gz $ cd autoconf-* autoconf-2.69 $ ./configure autoconf-2.69 $ make && sudo make install && cd ..
Install GNU Automake:
$ curl -OL http://ftpmirror.gnu.org/automake/automake-1.15.tar.gz $ tar xfz automake-1.15.tar.gz $ cd automake-* automake-1.15 $ ./configure automake-1.15 $ make && sudo make install && cd ..
Install GNU Libtool:
$ curl -OL http://ftpmirror.gnu.org/libtool/libtool-2.4.6.tar.gz $ tar xfz libtool-2.4.6.tar.gz $ cd libtool-* libtool-2.4.6 $ ./configure libtool-2.4.6 $ make && sudo make install && cd ..
Install GNU GetText:
$ curl -OL http://ftpmirror.gnu.org/gettext/gettext-latest.tar.gz $ tar xfz gettext-latest.tar.gz $ cd gettext-* gettext-latest $ ./configure gettext-latest $ make && sudo make install && cd ..
1.1.3. Install MacPorts and Makedepend
Makedepend is available from MacPorts. Install MacPorts:
Download the latest install package from MacPorts.org, then update it:
$ sudo port -v selfupdate
Install Makedepend from MacPorts:
$ sudo port install makedepend
MacPorts
If you prefer to not install MacPorts, install Makedepend manually as follows:
Install pkg-config:
$ curl -OL http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz $ tar xfz pkg-config-0.28.tar.gz $ cd pkg-config-* pkg-config-0.28 $ ./configure --with-internal-glib pkg-config-0.28 $ make && sudo make install && cd ..
Install util-macros:
$ curl -OL https://www.x.org/releases/individual/util/util-macros-1.19.1.tar.gz $ tar xfz util-macros-1.19.1.tar.gz $ cd util-macros-* util-macros-1.19.1 $ ./configure util-macros-1.19.1 $ make && sudo make install && cd ..
Install xproto:
$ curl -OL https://www.x.org/archive/individual/proto/xproto-7.0.31.tar.gz $ tar xfz xproto-7.0.31.tar.gz $ cd xproto-* xproto-7.0.31 $ ./configure xproto-7.0.31 $ make && sudo make install && cd ..
Install makedepend:
$ curl -OL https://www.x.org/releases/individual/util/makedepend-1.0.5.tar.gz $ tar xfz makedepend-1.0.5.tar.gz $ cd makedepend-* makedepend-1.0.5 $ ./configure makedepend-1.0.5 $ make && sudo make install && cd ..
1.1.4. Install JSON from CPAN
Update CPAN and install JSON:
$ sudo cpan install JSON
2. Setting build parameters and locations
Just like on Linux, build and installation locations matter, with one vital difference. On macOS, the /usr tree itself is locked down and inaccessible, even for the privileged (root) user. However, locations like /usr/local are open, and with newer versions of the OS, expect this to change.
For the purposes of this set of instructions, we recommend the following:
- For all the Moonshot dependencies, including Moonshot itself, but excluding Heimdal, the
--prefixparameter should be set to/usr/local/moonshot.
If you decide to change this location, you should appropriately change the locations in the commands in Sections 3 and 5 to your preference. - For Heimdal, the
--prefixparameter should be set to/usr/local/heimdal. This is because we are using Heimdal only for the header files that the Heimdal build generates, not for any library linking. It makes the eventual distribution easier. - We recommend that you build all libraries with the
-rpathparameter enabled for all libraries to avoid any clashes with other libraries (such as the older version of OpenSSL that macOS ships for compatibility reasons). We have been assured by macOS developers that theclangandlibtooltools for macOS support this. - We do NOT recommend using the Apple-provided sources for some libraries (such as Heimdal) as they have various customisations that may negatively impact how Moonshot works, and because Apple categorically WILL NOT support any of their own source sets (we've tried through a Platinum support path and had the support ticket closed and refunded).
If you DO try using Apple's OpenSource sources and find that things build and function fine, please let us know by commenting on this document (with instructions that we can update this document with). These instructions should generally be backward-compatible.
3. Download and build the required external dependencies
3.1.1. PCRE
PCRE is required during the build of some later dependencies. Libffi is one of these.
Download PCRE:
$ curl -OL https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.bz2
Extract PCRE:
$ tar xfz pcre-8.42.tar.bz2
Build PCRE:
$ cd pcre-8.42 pcre-8.42$ ./configure --disable-dependency-tracking --enable-utf8 --enable-pcre8 --enable-pcre16 \ --enable-pcre32 --enable-unicode-properties --enable-pcregrep-libz --enable-pcregrep-libbz2 --enable-jit pcre-8.42$ make pcre-8.42$ sudo make install
3.1.2. Libffi
Libffi is a dependency of the Glib library that in turn is used by the Moonshot library for some Dbus functionality
Download Libffi:
$ curl -OL https://sourceware.org/pub/libffi/libffi-3.2.1.tar.gz
Extract Libffi:
$ tar xfz libffi-3.2.1.tar.gz
Build Libffi:
$ cd libffi-3.2.1 libffi-3.2.1$ ./configure --disable-debug --disable-dependency-tracking libffi-3.2.1$ make libffi-3.2.1$ sudo make install
3.1.3. OpenSSL
The version of OpenSSL that Apple ships in macOS for backward compatibility is too old, and Moonshot requires at least OpenSSL v1.0.1.
- Create a directory called
openssl. Download the OpenSSL build tree from Apple's OpenSource site. Some scripts that Apple provides will be needed, but we will not build it.
$ cd openssl && curl -OL https://opensource.apple.com/tarballs/OpenSSL098/OpenSSL098-59.60.1.tar.gz
Download the latest OpenSSL build from the OpenSSL website. We will build this version.
$ curl -OL https://www.openssl.org/source/old/1.0.2/openssl-1.0.2l.tar.gz
- Extract
OpenSSL098-59.60.1.tar.gz, copy its 'bin' directory into the openssl directory, then delete the extracted source. - Edit the
extract_source.shscript in thebindirectory: - Comment out the IDEA removal and patch lines (lines 39-49).
- Add the following parameters to each of the three
./Configurelines:no-ssl2 enable-ec_nistp_64_gcc_128 - Change the
--openssldirparameter to your appropriate directory. We recommend/usr/local/moonshot/bin - Change the
--prefixparameter from/usrto/usr/local/moonshot - Comment out the line
'rm -f Makefile' - Find the line
'rm -f x86_64.h i386.h', and insert the following below it:ln -s crypto/idea/idea.h include/openssl/idea.h From the openssl directory, run the following:
openssl$ bin/extract_source.sh .
- In the
srcdirectory, edit theMakefilefile:- Add the
-DNO_IDEAparameter to theCFLAGline - Add the
-DNO_IDEAparameter to theDEPFLAGline
- Add the
Run the following commands:
openssl/src$ make depend openssl/src$ make openssl/src$ sudo make install_sw
3.1.4. Heimdal
Heimdal requires OpenSSL. Once OpenSSL has built successfully, build Heimdal.
Download Heimdal:
$ curl -OL https://github.com/heimdal/heimdal/releases/download/heimdal-7.3.0/heimdal-7.3.0.tar.gz
Extract Heimdal:
$ tar xfz heimdal-7.3.0.tar.gz
Build Heimdal:
$ cd heimdal-7.3.0 heimdal-7.3.0$ ./autogen.sh heimdal-7.3.0$ ./configure --prefix=/usr/local/heimdal --with-openssl=/usr/local/moonshot heimdal-7.3.0$ make heimdal-7.3.0$ sudo make install
- Note down both the location in which you built Heimdal, as well as where the Heimdal libraries are installed to (if you changed the
--prefixparameter to something else). You will need a binary from the Heimdal build for the Moonshot build in Section 6, and you will need to set the--with-krb5parameter of the Moonshot./configurecommand in Section 6 to the location where you installed Heimdal.
3.1.5. LibConfuse
Clone the latest Libconfuse repository:
$ git clone --recursive https://github.com/martinh/libconfuse
Build Libconfuse:
$ cd libconfuse libconfuse$ ./autogen.sh libconfuse$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " ./configure --prefix=/usr/local/moonshot libconfuse$ make libconfuse$ sudo make install
3.1.6. LibEvent
Libevent requires OpenSSL. Once OpenSSL has built successfully, build Libevent.
Clone the latest Libevent repository:
$ git clone --recursive https://github.com/libevent/libevent
Build Libevent:
$ cd libevent libevent$ ./autogen.sh libevent$ CFLAGS=" -I/usr/local/moonshot/include " LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " ./configure \ --prefix=/usr/local/moonshot libevent$ make libevent$ sudo make install
3.1.7. Dbus
Dbus is used by the macOS client to communicate with the Moonshot mechanism.
Download the latest version of Dbus:
$ curl -OL https://dbus.freedesktop.org/releases/dbus/dbus-1.12.10.tar.gz
Extract Dbus:
$ tar xfz dbus-1.12.10.tar.gz
Build Dbus:
$ cd dbus-1.12.10 dbus-1.12.10$ TMPDIR=/tmp \ EXPAT_CFLAGS=" -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include" \ EXPAT_LIBS=-lexpat XML_CATALOG_FILES=/etc/xml/catalog ./configure --disable-dependency-tracking --prefix=/usr/local/moonshot \ --sysconfdir=/etc --disable-xml-docs --disable-doxygen-docs --enable-launchd --with-launchd-agent-dir=/usr/local/moonshot \ --without-x --disable-tests dbus-1.12.10$ make dbus-1.12.10$ sudo make install
3.1.8. Glib
Glib is required by the Moonshot library and Dbus-Glib.
Download the latest version of Glib:
$ curl -OL https://download.gnome.org/sources/glib/2.58/glib-2.58.1.tar.xz
Extract Glib:
$ tar fx glib-2.58.1.tar.xz
Build Dbus:
$ cd glib-2.58.1 glib-2.58.1$ ./autogen.sh glib-2.58.1$ PKG_CONFIG_PATH=/usr/local/moonshot/lib/pkgconfig ./configure --disable-maintainer-mode \ --disable-dependency-tracking --disable-silent-rules --disable-dtrace \ --disable-libelf --enable-static --prefix=/usr/local/moonshot \ --localstatedir=/var --with-gio-module-dir=/usr/local/moonshot/lib/gio/modules glib-2.58.1$ make glib-2.58.1$ sudo make install
3.1.9. Dbus-Glib
Dbus-Glib is used by the Moonshot library to interact with Dbus.
Download the latest version of Dbus:
$ curl -OL https://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-0.110.tar.gz
Extract Dbus-Glib:
$ tar xfz dbus-glib-0.110.tar.gz
Configure the Dbus-Glib build:
$ cd dbus-glib-0.110 dbus-glib-0.110$ TMPDIR=/tmp EXPAT_CFLAGS=" -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include" \ EXPAT_LIBS=-lexpat XML_CATALOG_FILES=/etc/xml/catalog PKG_CONFIG_PATH=/usr/local/moonshot/lib/pkgconfig \ ./configure --disable-dependency-tracking --prefix=/usr/local/moonshot
- Edit the
dbus/Makefilefile, remove'examples'from theSUBDIRSline, save the file. Build Dbus-Glib:
dbus-glib-0.110$ make dbus-glib-0.110$ sudo make install dbus-glib-0.110$ cd -
3.1.10. Jansson
Jansson is used by the Moonshot libraries.
Download the latest version of Jansson:
$ curl -OL http://www.digip.org/jansson/releases/jansson-2.12.tar.gz
Extract Jansson:
$ tar xfz jansson-2.12.tar.gz
Configure the Jansson build:
$ cd jansson-2.12 jansson-2.12$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " CFLAGS=" -I/usr/local/moonshot/include " ./configure \ --prefix=/usr/local/moonshot --with-sysroot=/usr/local/moonshot
Build Jansson:
jansson-2.12$ make jansson-2.12$ sudo make install jansson-2.12$ cd -
4. Checkout the Moonshot source
The Moonshot source code is all stored in a GIT repository at https://github.com/janetuk.
5. Build Moonshot
5.1. Libradsec
Libradsec is used by the Moonshot libraries.
Clone the Libradsec source code:
$ git clone https://github.com/janetuk/libradsec.git
Configure the Libradsec build:
$ cd libradsec libradsec$ chmod +x autogen.sh && ./autogen.sh libradsec$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " \ CFLAGS=" -I/usr/local/moonshot/include -Wno-duplicate-decl-specifier -Wno-tautological-compare " ./configure \ --prefix=/usr/local/moonshot
Build Libradsec:
libradsec$ make libradsec$ sudo make install libradsec$ cd -
5.2. The Moonshot UI
The Moonshot UI contains two components, libmoonshot, which is the interface between the Moonshot mechanism and the Identity Selector, and the Identity Selector itself. Libmoonshot and the Identity Selector can be built together:
Clone the Moonshot UI project:
$ git clone https://github.com/janetuk/moonshot-ui.git $ cd moonshot-ui && git checkout macos-build-integration && cd -
Configure the UI build:
$ cd moonshot-ui moonshot-ui$ chmod +x autogen.sh moonshot-ui$ PKG_CONFIG_PATH=/usr/local/moonshot/lib/pkgconfig LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " \ DBUS_DAEMON="/usr/local/moonshot/bin" ./autogen.sh --prefix=/usr/local/moonshot
Apple Developer Team ID support
Optionally, if you have multiple Apple Developer ID certificates for different teams installed, use the optional
--with-apple-developer-id=DeveloperTeamIDparameter to specify the ID that is shown in brackets in the certificates. The build currently does not support Mac Developer certificates.To disable Apple Developer Team ID checks and signing, specify
--with-apple-developer-id=noBuild Libmoonshot:
moonshot-ui$ make moonshot-ui$ sudo make install
Pay attention to the output the
sudo make installcommand provides and double-check that the library exists in/usr/local/moonshot/lib.Build the Identity Selector:
moonshot-ui$ make app-bundle
- The Moonshot app will be in the
ui/macos-ui/build/Releasedirectory. You can then copy it from there to the/Applicationsfolder.
Identity Selector app signing
Currently the Identity Selector is not signed. This is to avoid limitations with macOS sandboxing. However, once we enable signing for the Identity Selector, you should see follow these additional steps:
Pay attention to the output the
make app-bundlecommand provides. You should see something similar to this to show that the build has copied the entitlements and has signed the application:ProcessProductPackaging "" build/Moonshot.build/Release/Moonshot.build/Moonshot.app.xcent cd /.../macos-ui Entitlements: { "com.apple.security.app-sandbox" = 1; "com.apple.security.files.downloads.read-only" = 1; "com.apple.security.files.user-selected.read-only" = 1; } builtin-productPackagingUtility -entitlements -format xml -o macos-ui/build/Moonshot.build/Release/Moonshot.build/Moonshot.app.xcent CodeSign build/Release/Moonshot.app cd /.../macos-ui export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate Signing Identity: "Developer ID Application: <your Apple Developer ID Application signing certificate CN here>"If Xcode did not sign the code and you did not disable Apple Developer ID checks and signing in Step 2, sign it manually:
moonshot-ui$ codesign --force --sign "<your Apple Developer ID Application signing certificate CN here>" "macos-ui/build/Release/Moonshot.app"
If you disabled Apple Developer ID checks in Step 2, skip this step. Otherwise verify the signing with the following command; you should have lines like these:
moonshot-ui$ codesign -dv --verbose=4 "macos-ui/build/Release/Moonshot.app" : Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=16 Jan 2019, 11:24:21 Info.plist entries=24 TeamIdentifier=<your Apple Developer team ID here> :
5.3. The Moonshot mechanism
Clone the Moonshot mechanism project:
$ git clone https://github.com/janetuk/mech_eap.git
Configure the Moonshot build :
mech_eap$ chmod +x ./autogen.sh && ./autogen.sh mech_eap$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " LIBS=" -L/usr/local/moonshot/lib " \ COMPILE_ET="/Users/admin/Desktop/build/heimdal-7.3.0/lib/com_err/compile_et" ./configure --with-krb5=/usr/local/heimdal \ --with-libmoonshot=/usr/local/moonshot --with-radsec=/usr/local/moonshot --with-opensaml=no --with-shibresolver=no \ --with-shibsp=no --with-openssl=/usr/local/moonshot --with-jansson=/usr/local/moonshot --sysconfdir=/etc
Configure script parameters
There are several parameters in the command above that rely on locations noted down previously:
LIBScontains explicit library location references to the Moonshot libraries.COMPILE_ETcontains the full path to thecompile_etbinary that will be in your Heimdal build tree. You noted this down in the last step of Section 3.1.4.--with-krb5contains the location where the Heimdal libraries and headers were installed. You noted this down in the last step of Section 3.1.4.Pay attention to the latter part of the
configurecommand output and verify that it has found themoonshotlibrary.checking for Moonshot identity selector implementation... yes libmoonshot found in /usr/local/moonshot checking for moonshot_get_identity in -lmoonshot... yes
Build Moonshot:
mech_eap$ make mech_eap$ sudo make install
If the first
makecommand fails, change to themech_eapdirectory and run the following:mech_eap$ make clean mech_eap$ make
You should now have amech_eap.sofile in/usr/local/lib/gss.
6. Test Moonshot
To test this build of Moonshot, you will need to make some privileged changes to the system you built this on:
In
/etc, create agssdirectory:mech_eap$ sudo mkdir -p /etc/gss
Copy the
mechfile from the Moonshotmech_eapbuild directory to/etc/gssmech_eap$ sudo cp mech_eap/mech /etc/gss/
- As the privileged user, edit the
/etc/gss/mechfile:- Change the
mech_eap.soentry on each line to the full path of the library, e.g./usr/local/lib/gss/mech_eap.so - Save the file.
- Change the
Copy the Identity Selector app (Moonshot.app) you built in Step 2 of Section 5.2 above into the /Applications folder.
- Run the Identity Selector app from the Launch Pad, then add a new Moonshot identity to the app.
Run an SSH command to a Moonshot-enabled system that the credentials you added in the previous step will be valid for:
ssh -Kv user@moonshot-host.realm
Jisc Assent
If you have an identity provider on the Jisc Assent network, you can use
ssh -Kv moonshot@ssh.test.moonshot.ja.netto test whether your macOS Moonshot mechanism worked successfully.You should be prompted for an identity the first time you do this, and then successfully connect to the service. You should see several lines like this in the output:
debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). Authenticated to ssh.test.moonshot.ja.net ([212.219.179.184]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_GB.UTF-8
Jisc Assent
On the Jisc Assent Test SSH Service, the final output for success will be this:
debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_GB.UTF-8 *** JISC Moonshot Test SSH Server *** You have successfully logged in with Moonshot. You are user: moonshot [moonshot@ssh ~]$
7. Distribute and install Moonshot
To distribute this binary set, you will need to trim down the binaries you have built to include only the dynamic libraries and only bare essentials needed to run the mechanism:
7.1. Automatic build
The macos-ui directory in the moonshot-ui/ tree has a Makefile that will automatically run all the build steps in Section 7.2.
- Change to the
macos-uidirectory, runmake installer. - The final result should be a signed (if you chose to use Apple Developer ID support)
Moonshot.dmgfile in themacos-uidirectory.
7.2. Manual build
7.2.1. Create the distribution archive for the mechanism
Make a copy of the
/usr/localdirectory into the Installer directory as the privileged user.macos-ui$ mkdir -p Installer/local macos-ui$ sudo cp -R /usr/local/* Installer/local macos-ui$ sudo chown -R `whoami` Installer/local
Once the duplication process is complete, change to the
Installer/localdirectory and remove everything except the following in the tree:. ./lib ./lib/gss ./lib/gss/mech_eap.so ./lib/libffi.6.dylib ./lib/libffi.dylib ./lib/libintl.8.dylib ./lib/libintl.dylib ./lib/libpcre.1.dylib ./lib/libpcre.dylib ./moonshot ./moonshot/bin ./moonshot/bin/c_rehash ./moonshot/bin/certs ./moonshot/bin/dbus-binding-tool ./moonshot/bin/dbus-cleanup-sockets ./moonshot/bin/dbus-daemon ./moonshot/bin/dbus-launch ./moonshot/bin/dbus-monitor ./moonshot/bin/dbus-run-session ./moonshot/bin/dbus-send ./moonshot/bin/dbus-test-tool ./moonshot/bin/dbus-update-activation-environment ./moonshot/bin/dbus-uuidgen ./moonshot/bin/event_rpcgen.py ./moonshot/bin/gdbus ./moonshot/bin/gdbus-codegen ./moonshot/bin/misc ./moonshot/bin/misc/c_hash ./moonshot/bin/misc/c_info ./moonshot/bin/misc/c_issuer ./moonshot/bin/misc/c_name ./moonshot/bin/misc/CA.pl ./moonshot/bin/misc/CA.sh ./moonshot/bin/misc/tsget ./moonshot/bin/openssl ./moonshot/bin/openssl.cnf ./moonshot/bin/private ./moonshot/lib ./moonshot/lib/engines ./moonshot/lib/engines/lib4758cca.dylib ./moonshot/lib/engines/libaep.dylib ./moonshot/lib/engines/libatalla.dylib ./moonshot/lib/engines/libcapi.dylib ./moonshot/lib/engines/libchil.dylib ./moonshot/lib/engines/libcswift.dylib ./moonshot/lib/engines/libgmp.dylib ./moonshot/lib/engines/libgost.dylib ./moonshot/lib/engines/libnuron.dylib ./moonshot/lib/engines/libpadlock.dylib ./moonshot/lib/engines/libsureware.dylib ./moonshot/lib/engines/libubsec.dylib ./moonshot/lib/libconfuse.2.dylib ./moonshot/lib/libconfuse.dylib ./moonshot/lib/libcrypto.1.0.0.dylib ./moonshot/lib/libcrypto.dylib ./moonshot/lib/libdbus-1.3.dylib ./moonshot/lib/libdbus-1.dylib ./moonshot/lib/libdbus-glib-1.2.dylib ./moonshot/lib/libdbus-glib-1.dylib ./moonshot/lib/libevent-2.1.6.dylib ./moonshot/lib/libevent.dylib ./moonshot/lib/libevent_core-2.1.6.dylib ./moonshot/lib/libevent_core.dylib ./moonshot/lib/libevent_extra-2.1.6.dylib ./moonshot/lib/libevent_extra.dylib ./moonshot/lib/libevent_openssl-2.1.6.dylib ./moonshot/lib/libevent_openssl.dylib ./moonshot/lib/libevent_pthreads-2.1.6.dylib ./moonshot/lib/libevent_pthreads.dylib ./moonshot/lib/libgio-2.0.0.dylib ./moonshot/lib/libgio-2.0.dylib ./moonshot/lib/libglib-2.0.0.dylib ./moonshot/lib/libglib-2.0.dylib ./moonshot/lib/libgmodule-2.0.0.dylib ./moonshot/lib/libgmodule-2.0.dylib ./moonshot/lib/libgobject-2.0.0.dylib ./moonshot/lib/libgobject-2.0.dylib ./moonshot/lib/libgthread-2.0.0.dylib ./moonshot/lib/libgthread-2.0.dylib ./moonshot/lib/libjansson.4.dylib ./moonshot/lib/libjansson.dylib ./moonshot/lib/libmoonshot.0.dylib ./moonshot/lib/libmoonshot.1.dylib ./moonshot/lib/libmoonshot.dylib ./moonshot/lib/libradsec.0.dylib ./moonshot/lib/libradsec.dylib ./moonshot/lib/libssl.1.0.0.dylib ./moonshot/lib/libssl.dylib ./moonshot/libexec ./moonshot/libexec/dbus-daemon-launch-helper ./moonshot/org.freedesktop.dbus-session.plist ./moonshot/share ./moonshot/share/dbus-1 ./moonshot/share/dbus-1/services ./moonshot/share/dbus-1/session.conf ./moonshot/share/dbus-1/session.d ./moonshot/share/dbus-1/system-services ./moonshot/share/dbus-1/system.conf ./moonshot/share/dbus-1/system.d ./moonshot/share/xml ./moonshot/share/xml/dbus-1 ./moonshot/share/xml/dbus-1/busconfig.dtd ./moonshot/share/xml/dbus-1/introspect.dtd ./moonshot/var ./moonshot/var/lib ./moonshot/var/lib/dbus ./moonshot/var/run ./moonshot/var/run/dbus
Sample commands
Below are some sample commands that do the trimming for you. Save the above list in a file called
'filelist.txt'in your<new location>parent directory. Then execute these:$ cd Installer/local local$ rm -rff $(ls |grep -v moonshot |grep -v lib) local$ for i in $(find . \( -type f -o -type l \)) ; do if [ -z "$(fgrep $i ../../filemanifest.txt)" ]; then rm -f "$i"; fi; done local$ for i in $(find . -type d |awk '{ print length, $0 }' |sort -nr -s |cut -d" " -f2-) ; do if [ -z "$(fgrep $i ../../filemanifest.txt)" ]; then rmdir "$i"; fi; doneA
'find .'command should yield the same list as the above.Now use tar to package up the contents of your distribution directory.
local$ tar -zcvf local.tar.gz ./
You should have a tarball around 4.1 MB in size.
Now move
local.tar.gzto theui/macos-ui/Installerdirectory:local$ mv local.tar.gz ../ local$ cd ../..
7.2.2. The Moonshot Uninstaller utility
The Uninstaller utility is an Xcode project.
Build the Uninstaller utility:
moonshot-ui$ make uninstaller-bundle
Pay attention to the output the
make uninstaller-bundlecommand provides. You should see something similar to this to show that the build has copied the entitlements and has signed the application:ProcessProductPackaging "" build/Uninstall\ Moonshot.build/Release/Uninstall\ Moonshot.build/Uninstall\ Moonshot.app.xcent cd /.../macos-ui/Uninstaller Entitlements: { "com.apple.security.app-sandbox" = 0; "com.apple.security.files.user-selected.read-only" = 0; } builtin-productPackagingUtility -entitlements -format xml -o /.../macos-ui/Uninstaller/build/Uninstall\ Moonshot.build/Release/Uninstall\ Moonshot.build/Uninstall\ Moonshot.app.xcent CodeSign build/Release/Uninstall\ Moonshot.app cd /.../macos-ui/Uninstaller export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate Signing Identity: "Developer ID Application: <your Apple Developer ID Application signing certificate CN here>"If Xcode did not sign the code and you did not disable Apple Developer ID checks in Section 5.2, Step 2, sign it manually:
moonshot-ui$ codesign --force --sign "<your Apple Developer ID Application signing certificate CN here>" "macos-ui/build/Release/Uninstall Moonshot.app"
Verify the signing with the following command; you should have lines like these:
moonshot-ui$ codesign -dv --verbose=4 "macos-ui/Uninstaller/build/Release/Uninstall Moonshot.app" : Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=16 Jan 2019, 11:24:21 Info.plist entries=24 TeamIdentifier=<your Apple Developer team ID here> :
The
Uninstall Moonshotapp will be in theui/macos-ui/Uninstaller/build/Releasedirectory. You can then copy it from there to the/Applicationsfolder.
7.2.3. The Moonshot Installer
The Moonshot installer contains the distribution archive, the uninstaller utility, and the Moonshot identity selector.
Change to the Installer folder:
$ cd ui/macos-ui/Installer
- Copy the Moonshot identity selector app from the Applications folder to the
LatestBuilddirectory - Copy the Uninstall Moonshot app from the
ui/macos-ui/Uninstaller/build/Releasedirectory to theLatestBuilddirectory - Copy the distribution archive you created in Section 8.1 to this directory, replacing the existing
local.tar.gzfile. Build the installer:
Installer$ mkdir Moonshot Installer$ packagesbuild Moonshot.pkgproj Installer$ productsign --sign "<your Apple Developer ID Installer signing certificate CN here>" Moonshot.pkg Moonshot/Moonshot.pkg
Create the Moonshot distribution disk image:
Installer$ chmod +x create-dmg.sh Installer$ create-dmg.sh --volname "Moonshot" \ --volicon moonshot-dmg-volumeicons.icns \ --background moonshot-dmg-background-with-start.png \ --no-internet-enable --window-size 400 273 --icon-size 64 --text-size 14 \ --icon "Moonshot.pkg" 160 48 --hide-extension "Moonshot.pkg" \ Moonshot.dmg Moonshot/ Installer$ codesign --sign "<your Apple Developer ID Application signing certificate CN here>" Moonshot.dmg
- Copy the resulting
Moonshot.dmgto your distribution point. Generate a checksum for
Moonshot.dmgwith the following command:$ shasum -a 256 Moonshot.dmg
8. Issues
Current issues with this build include that the macOS SSH client abandons any gssapi-with-mic conversations if the first mechanism it chooses, fails.
In a domain environment, this usually involves a Kerberos interaction, i.e. where you have received a Kerberos ticket before by logging in or by running kinit. Other ssh clients (or a custom build of the ssh client) may not exhibit this behaviour.
On macOS Sierra and later, the native SSH client is sandboxed when run from its default location in /usr/bin. Making a copy of the binary in /usr/local/bin enables it to authenticate with Moonshot. Adjust /etc/paths to load binaries in /usr/local/bin first, then restart your sessions.
Currently the Moonshot Identity Manager (Moonshot.app) is not signed during the automatic build. This is due to Apple sandboxing the app when it is signed, making it impossible for it to communicate with Dbus (and by extension, the Moonshot mechanism). Not signing the app allows Moonshot authentication to proceed.