Page tree
Skip to end of metadata
Go to start of metadata

The Moonshot source code is available from our GIT repository and it all can be built by hand relatively easily, assuming you have all of the prerequisite packages installed. This page has instructions for building the software itself.

Contents

macOS versions

These instructions have been tested on macOS 10.12 Sierra and later.

1. System Preparation

1.1. Requirements

To build all of the Moonshot components, you need various packages installed. To install all of these, see below.

1.1.1. Get Xcode for macOS

To get all of the requirements on your macOS platform, you will need to install Xcode and the Xcode command-line extensions:

  1. Install Xcode from the Mac App Store.

  2. Open a Terminal, then install the Xcode Command Line Tools. You will be prompted with a dialog to install the Command Line Tools after a 130MB download.

    $ xcode-select --install
  3. If you have never launched Xcode before, do so at least once, or run the following command in your Terminal window.

    $ sudo xcodebuild -license

1.1.2. Install the GNU tools for macOS

You will need to install several GNU tools:

  1. Install GNU m4:

    $ curl -OL https://ftp.gnu.org/gnu/m4/m4-1.4.18.tar.xz
    $ tar xf m4-1.4.18.tar.xz
    $ cd m4-*
    m4-1.4.18 $ ./configure
    m4-1.4.18 $ make && sudo make install && cd ..
  2. Install GNU Autoconf:

    $ curl -OL http://ftpmirror.gnu.org/autoconf/autoconf-2.69.tar.gz
    $ tar xfz autoconf-2.69.tar.gz
    $ cd autoconf-*
    autoconf-2.69 $ ./configure
    autoconf-2.69 $ make && sudo make install && cd ..
  3. Install GNU Automake:

    $ curl -OL http://ftpmirror.gnu.org/automake/automake-1.15.tar.gz
    $ tar xfz automake-1.15.tar.gz
    $ cd automake-*
    automake-1.15 $ ./configure
    automake-1.15 $ make && sudo make install && cd ..
  4. Install GNU Libtool:

    $ curl -OL http://ftpmirror.gnu.org/libtool/libtool-2.4.6.tar.gz
    $ tar xfz libtool-2.4.6.tar.gz
    $ cd libtool-*
    libtool-2.4.6 $ ./configure
    libtool-2.4.6 $ make && sudo make install && cd ..
  5. Install GNU GetText:

    $ curl -OL http://ftpmirror.gnu.org/gettext/gettext-latest.tar.gz
    $ tar xfz gettext-latest.tar.gz
    $ cd gettext-*
    gettext-latest $ ./configure
    gettext-latest $ make && sudo make install && cd ..

1.1.3. Install MacPorts and Makedepend

Makedepend is available from MacPorts. Install MacPorts:

  1. Download the latest install package from MacPorts.org, then update it:

    $ sudo port -v selfupdate
  2. Install Makedepend from MacPorts:

    $ sudo port install makedepend

MacPorts

If you prefer to not install MacPorts, install Makedepend manually as follows:

  1. Install pkg-config:

    $ curl -OL http://pkgconfig.freedesktop.org/releases/pkg-config-0.28.tar.gz
    $ tar xfz pkg-config-0.28.tar.gz
    $ cd pkg-config-*
    pkg-config-0.28 $ ./configure --with-internal-glib
    pkg-config-0.28 $ make && sudo make install && cd ..
  2. Install util-macros:

    $ curl -OL https://www.x.org/releases/individual/util/util-macros-1.19.1.tar.gz
    $ tar xfz util-macros-1.19.1.tar.gz
    $ cd util-macros-*
    util-macros-1.19.1 $ ./configure
    util-macros-1.19.1 $ make && sudo make install && cd ..
  3. Install xproto:

    $ curl -OL https://www.x.org/archive/individual/proto/xproto-7.0.31.tar.gz
    $ tar xfz xproto-7.0.31.tar.gz
    $ cd xproto-*
    xproto-7.0.31 $ ./configure
    xproto-7.0.31 $ make && sudo make install && cd ..
  4. Install makedepend:

    $ curl -OL https://www.x.org/releases/individual/util/makedepend-1.0.5.tar.gz
    $ tar xfz makedepend-1.0.5.tar.gz
    $ cd makedepend-*
    makedepend-1.0.5 $ ./configure
    makedepend-1.0.5 $ make && sudo make install && cd ..

1.1.4. Install JSON from CPAN

  1. Update CPAN and install JSON:

    $ sudo cpan install JSON

2. Setting build parameters and locations

Just like on Linux, build and installation locations matter, with one vital difference. On macOS, the /usr tree itself is locked down and inaccessible, even for the privileged (root) user. However, locations like /usr/local are open, and with newer versions of the OS, expect this to change.

For the purposes of this set of instructions, we recommend the following:

  1. For all the Moonshot dependencies, including Moonshot itself, but excluding Heimdal, the --prefix parameter should be set to /usr/local/moonshot.
    If you decide to change this location, you should appropriately change the locations in the commands in Sections 3 and 5 to your preference.
  2. For Heimdal, the --prefix parameter should be set to /usr/local/heimdal. This is because we are using Heimdal only for the header files that the Heimdal build generates, not for any library linking. It makes the eventual distribution easier.
  3. We recommend that you build all libraries with the -rpath parameter enabled for all libraries to avoid any clashes with other libraries (such as the older version of OpenSSL that macOS ships for compatibility reasons). We have been assured by macOS developers that the clang and libtool tools for macOS support this.
  4. We do NOT recommend using the Apple-provided sources for some libraries (such as Heimdal) as they have various customisations that may negatively impact how Moonshot works, and because Apple categorically WILL NOT support any of their own source sets (we've tried through a Platinum support path and had the support ticket closed and refunded).
    If you DO try using Apple's OpenSource sources and find that things build and function fine, please let us know by commenting on this document (with instructions that we can update this document with).
  5. These instructions should generally be backward-compatible.

3. Download and build the required external dependencies

3.1.1. PCRE

PCRE is required during the build of some later dependencies. Libffi is one of these.

  1. Download PCRE:

    $ curl -OL https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.bz2
  2. Extract PCRE:

    $ tar xfz pcre-8.42.tar.bz2
  3. Build PCRE:

    $ cd pcre-8.42
    pcre-8.42$ ./configure --disable-dependency-tracking --enable-utf8 --enable-pcre8 --enable-pcre16 \
    --enable-pcre32 --enable-unicode-properties --enable-pcregrep-libz --enable-pcregrep-libbz2 --enable-jit
    pcre-8.42$ make
    pcre-8.42$ sudo make install

3.1.2. Libffi

Libffi is a dependency of the Glib library that in turn is used by the Moonshot library for some Dbus functionality

  1. Download Libffi:

    $ curl -OL https://sourceware.org/pub/libffi/libffi-3.2.1.tar.gz
  2. Extract Libffi:

    $ tar xfz libffi-3.2.1.tar.gz
  3. Build Libffi:

    $ cd libffi-3.2.1
    libffi-3.2.1$ ./configure --disable-debug --disable-dependency-tracking
    libffi-3.2.1$ make
    libffi-3.2.1$ sudo make install

3.1.3. OpenSSL

The version of OpenSSL that Apple ships in macOS for backward compatibility is too old, and Moonshot requires at least OpenSSL v1.0.1.

  1. Create a directory called openssl.
  2. Download the OpenSSL build tree from Apple's OpenSource site. Some scripts that Apple provides will be needed, but we will not build it.

    $ cd openssl && curl -OL https://opensource.apple.com/tarballs/OpenSSL098/OpenSSL098-59.60.1.tar.gz
  3. Download the latest OpenSSL build from the OpenSSL website. We will build this version.

    $ curl -OL https://www.openssl.org/source/old/1.0.2/openssl-1.0.2l.tar.gz
  4. Extract OpenSSL098-59.60.1.tar.gz, copy its 'bin' directory into the openssl directory, then delete the extracted source.
  5. Edit the extract_source.sh script in the bin directory:
    1. Comment out the IDEA removal and patch lines (lines 39-49).
    2. Add the following parameters to each of the three ./Configure lines: no-ssl2 enable-ec_nistp_64_gcc_128
    3. Change the --openssldir parameter to your appropriate directory. We recommend /usr/local/moonshot/bin
    4. Change the --prefix parameter from /usr to /usr/local/moonshot
    5. Comment out the line 'rm -f Makefile'
    6. Find the line 'rm -f x86_64.h i386.h', and insert the following below it: ln -s crypto/idea/idea.h include/openssl/idea.h
  6. From the openssl directory, run the following:

    openssl$ bin/extract_source.sh .
  7. In the src directory, edit the Makefile file:
    1. Add the -DNO_IDEA parameter to the CFLAG line
    2. Add the -DNO_IDEA parameter to the DEPFLAG line
  8. Run the following commands:

    openssl/src$ make depend
    openssl/src$ make
    openssl/src$ sudo make install_sw

3.1.4. Heimdal

Heimdal requires OpenSSL. Once OpenSSL has built successfully, build Heimdal.

  1. Download Heimdal:

    $ curl -OL https://github.com/heimdal/heimdal/releases/download/heimdal-7.3.0/heimdal-7.3.0.tar.gz
  2. Extract Heimdal:

    $ tar xfz heimdal-7.3.0.tar.gz
  3. Build Heimdal:

    $ cd heimdal-7.3.0
    heimdal-7.3.0$ ./autogen.sh
    heimdal-7.3.0$ ./configure --prefix=/usr/local/heimdal --with-openssl=/usr/local/moonshot
    heimdal-7.3.0$ make
    heimdal-7.3.0$ sudo make install
  4. Note down both the location in which you built Heimdal, as well as where the Heimdal libraries are installed to (if you changed the --prefix parameter to something else). You will need a binary from the Heimdal build for the Moonshot build in Section 6, and you will need to set the --with-krb5 parameter of the Moonshot ./configure command in Section 6 to the location where you installed Heimdal.

3.1.5. LibConfuse

  1. Clone the latest Libconfuse repository:

    $ git clone --recursive https://github.com/martinh/libconfuse
  2. Build Libconfuse:

    $ cd libconfuse
    libconfuse$ ./autogen.sh
    libconfuse$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " ./configure --prefix=/usr/local/moonshot
    libconfuse$ make
    libconfuse$ sudo make install

3.1.6. LibEvent

Libevent requires OpenSSL. Once OpenSSL has built successfully, build Libevent.

  1. Clone the latest Libevent repository:

    $ git clone --recursive https://github.com/libevent/libevent
  2. Build Libevent:

    $ cd libevent
    libevent$ ./autogen.sh
    libevent$ CFLAGS=" -I/usr/local/moonshot/include " LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " ./configure \
    --prefix=/usr/local/moonshot
    libevent$ make
    libevent$ sudo make install

3.1.7. Dbus

Dbus is used by the macOS client to communicate with the Moonshot mechanism.

  1. Download the latest version of Dbus:

    $ curl -OL https://dbus.freedesktop.org/releases/dbus/dbus-1.12.10.tar.gz
  2. Extract Dbus:

    $ tar xfz dbus-1.12.10.tar.gz
  3. Build Dbus:

    $ cd dbus-1.12.10
    dbus-1.12.10$ TMPDIR=/tmp \
    EXPAT_CFLAGS=" -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include" \
    EXPAT_LIBS=-lexpat XML_CATALOG_FILES=/etc/xml/catalog ./configure --disable-dependency-tracking --prefix=/usr/local/moonshot \ 
    --sysconfdir=/etc --disable-xml-docs --disable-doxygen-docs --enable-launchd --with-launchd-agent-dir=/usr/local/moonshot \
    --without-x --disable-tests
    dbus-1.12.10$ make
    dbus-1.12.10$ sudo make install

3.1.8. Glib

Glib is required by the Moonshot library and Dbus-Glib.

  1. Download the latest version of Glib:

    $ curl -OL https://download.gnome.org/sources/glib/2.58/glib-2.58.1.tar.xz
  2. Extract Glib:

    $ tar fx glib-2.58.1.tar.xz
  3. Build Dbus:

    $ cd glib-2.58.1
    glib-2.58.1$ ./autogen.sh
    glib-2.58.1$ PKG_CONFIG_PATH=/usr/local/moonshot/lib/pkgconfig ./configure --disable-maintainer-mode \
          --disable-dependency-tracking --disable-silent-rules --disable-dtrace \
          --disable-libelf --enable-static --prefix=/usr/local/moonshot \
          --localstatedir=/var --with-gio-module-dir=/usr/local/moonshot/lib/gio/modules
    glib-2.58.1$ make
    glib-2.58.1$ sudo make install

3.1.9. Dbus-Glib

Dbus-Glib is used by the Moonshot library to interact with Dbus.

  1. Download the latest version of Dbus:

    $ curl -OL https://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-0.110.tar.gz
  2. Extract Dbus-Glib:

    $ tar xfz dbus-glib-0.110.tar.gz
  3. Configure the Dbus-Glib build:

    $ cd dbus-glib-0.110
    dbus-glib-0.110$ TMPDIR=/tmp EXPAT_CFLAGS=" -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include" \
    EXPAT_LIBS=-lexpat XML_CATALOG_FILES=/etc/xml/catalog PKG_CONFIG_PATH=/usr/local/moonshot/lib/pkgconfig \
    ./configure --disable-dependency-tracking --prefix=/usr/local/moonshot
    
  4. Edit the dbus/Makefile file, remove 'examples' from the SUBDIRS line, save the file.
  5. Build Dbus-Glib:

    dbus-glib-0.110$ make
    dbus-glib-0.110$ sudo make install
    dbus-glib-0.110$ cd -

3.1.10. Jansson

Jansson is used by the Moonshot libraries.

  1. Download the latest version of Jansson:

    $ curl -OL http://www.digip.org/jansson/releases/jansson-2.12.tar.gz
  2. Extract Jansson:

    $ tar xfz jansson-2.12.tar.gz
  3. Configure the Jansson build:

    $ cd jansson-2.12
    jansson-2.12$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " CFLAGS=" -I/usr/local/moonshot/include " ./configure \
    --prefix=/usr/local/moonshot --with-sysroot=/usr/local/moonshot
  4. Build Jansson:

    jansson-2.12$ make
    jansson-2.12$ sudo make install
    jansson-2.12$ cd -
    

4. Checkout the Moonshot source

The Moonshot source code is all stored in a GIT repository at https://github.com/janetuk.

5. Build Moonshot

5.1. Libradsec

Libradsec is used by the Moonshot libraries.

  1. Clone the Libradsec source code:

    $ git clone https://github.com/janetuk/libradsec.git
  2. Configure the Libradsec build:

    $ cd libradsec
    libradsec$ chmod +x autogen.sh && ./autogen.sh
    libradsec$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " \
    CFLAGS=" -I/usr/local/moonshot/include -Wno-duplicate-decl-specifier -Wno-tautological-compare " ./configure \
    --prefix=/usr/local/moonshot
  3. Build Libradsec:

    libradsec$ make
    libradsec$ sudo make install
    libradsec$ cd -

5.2. The Moonshot UI

The Moonshot UI contains two components, libmoonshot, which is the interface between the Moonshot mechanism and the Identity Selector, and the Identity Selector itself. Libmoonshot and the Identity Selector can be built together:

  1. Clone the Moonshot UI project:

    $ git clone https://github.com/janetuk/moonshot-ui.git
    $ cd moonshot-ui && git checkout macos-build-integration && cd -
  2. Configure the UI build:

    $ cd moonshot-ui
    moonshot-ui$ chmod +x autogen.sh
    moonshot-ui$ PKG_CONFIG_PATH=/usr/local/moonshot/lib/pkgconfig LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " \
    DBUS_DAEMON="/usr/local/moonshot/bin" ./autogen.sh --prefix=/usr/local/moonshot

    Apple Developer Team ID support

    Optionally, if you have multiple Apple Developer ID certificates for different teams installed, use the optional --with-apple-developer-id=DeveloperTeamID parameter to specify the ID that is shown in brackets in the certificates. The build currently does not support Mac Developer certificates.

    To disable Apple Developer Team ID checks and signing, specify --with-apple-developer-id=no

  3. Build Libmoonshot:

    moonshot-ui$ make
    moonshot-ui$ sudo make install

    Pay attention to the output the sudo make install command provides and double-check that the library exists in /usr/local/moonshot/lib.

  4. Build the Identity Selector:

    moonshot-ui$ make app-bundle
    
  5. The Moonshot app will be in the ui/macos-ui/build/Release directory. You can then copy it from there to the /Applications folder.

Identity Selector app signing

Currently the Identity Selector is not signed. This is to avoid limitations with macOS sandboxing. However, once we enable signing for the Identity Selector, you should see follow these additional steps:

  1. Pay attention to the output the make app-bundle command provides. You should see something similar to this to show that the build has copied the entitlements and has signed the application:

    ProcessProductPackaging "" build/Moonshot.build/Release/Moonshot.build/Moonshot.app.xcent
        cd /.../macos-ui
    
    Entitlements:
    {
        "com.apple.security.app-sandbox" = 1;
        "com.apple.security.files.downloads.read-only" = 1;
        "com.apple.security.files.user-selected.read-only" = 1;
    }
    
        builtin-productPackagingUtility -entitlements -format xml -o macos-ui/build/Moonshot.build/Release/Moonshot.build/Moonshot.app.xcent
    CodeSign build/Release/Moonshot.app
        cd /.../macos-ui
        export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
    Signing Identity:     "Developer ID Application: <your Apple Developer ID Application signing certificate CN here>"
  2. If Xcode did not sign the code and you did not disable Apple Developer ID checks and signing in Step 2, sign it manually:

    moonshot-ui$ codesign --force --sign "<your Apple Developer ID Application signing certificate CN here>" "macos-ui/build/Release/Moonshot.app"
  3. If you disabled Apple Developer ID checks in Step 2, skip this step. Otherwise verify the signing with the following command; you should have lines like these:

    moonshot-ui$ codesign -dv --verbose=4 "macos-ui/build/Release/Moonshot.app"
    :
    Authority=Developer ID Certification Authority
    Authority=Apple Root CA
    Signed Time=16 Jan 2019, 11:24:21
    Info.plist entries=24
    TeamIdentifier=<your Apple Developer team ID here>
    :

5.3. The Moonshot mechanism

  1. Clone the Moonshot mechanism project:

    $ git clone https://github.com/janetuk/mech_eap.git
  2. Configure the Moonshot build :

    mech_eap$ chmod +x ./autogen.sh && ./autogen.sh
    mech_eap$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " LIBS=" -L/usr/local/moonshot/lib " \
    COMPILE_ET="/Users/admin/Desktop/build/heimdal-7.3.0/lib/com_err/compile_et" ./configure --with-krb5=/usr/local/heimdal \
    --with-libmoonshot=/usr/local/moonshot --with-radsec=/usr/local/moonshot --with-opensaml=no --with-shibresolver=no \
    --with-shibsp=no --with-openssl=/usr/local/moonshot --with-jansson=/usr/local/moonshot --sysconfdir=/etc

    Configure script parameters

    There are several parameters in the command above that rely on locations noted down previously:

    LIBS contains explicit library location references to the Moonshot libraries.

    COMPILE_ET contains the full path to the compile_et binary that will be in your Heimdal build tree. You noted this down in the last step of Section 3.1.4.

    --with-krb5 contains the location where the Heimdal libraries and headers were installed. You noted this down in the last step of Section 3.1.4.

  3. Pay attention to the latter part of the configure command output and verify that it has found the moonshot library.

    checking for Moonshot identity selector implementation... yes
    libmoonshot found in /usr/local/moonshot
    checking for moonshot_get_identity in -lmoonshot... yes
  4. Build Moonshot:

    mech_eap$ make
    mech_eap$ sudo make install
    

    If the first make command fails, change to the mech_eap directory and run the following:

    mech_eap$ make clean
    mech_eap$ make
    


    You should now have a mech_eap.so file in /usr/local/lib/gss.

6. Test Moonshot

To test this build of Moonshot, you will need to make some privileged changes to the system you built this on:

  1. In /etc, create a gss directory:

    mech_eap$ sudo mkdir -p /etc/gss
  2. Copy the mech file from the Moonshot mech_eap build directory to /etc/gss

    mech_eap$ sudo cp mech_eap/mech /etc/gss/
  3. As the privileged user, edit the /etc/gss/mech file:
    1. Change the mech_eap.so entry on each line to the full path of the library, e.g. /usr/local/lib/gss/mech_eap.so
    2. Save the file.
  4. Copy the Identity Selector app (Moonshot.app) you built in Step 2 of Section 5.2 above into the /Applications folder.

  5. Run the Identity Selector app from the Launch Pad, then add a new Moonshot identity to the app.
  6. Run an SSH command to a Moonshot-enabled system that the credentials you added in the previous step will be valid for:

    ssh -Kv user@moonshot-host.realm

    Jisc Assent

    If you have an identity provider on the Jisc Assent network, you can use ssh -Kv moonshot@ssh.test.moonshot.ja.net to test whether your macOS Moonshot mechanism worked successfully.

  7. You should be prompted for an identity the first time you do this, and then successfully connect to the service. You should see several lines like this in the output:

    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Delegating credentials
    debug1: Authentication succeeded (gssapi-with-mic).
    Authenticated to ssh.test.moonshot.ja.net ([212.219.179.184]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_GB.UTF-8

    Jisc Assent

    On the Jisc Assent Test SSH Service, the final output for success will be this:

    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_GB.UTF-8
    *** JISC Moonshot Test SSH Server ***
    You have successfully logged in with Moonshot.
    You are user: moonshot
    [moonshot@ssh ~]$

7. Distribute and install Moonshot

To distribute this binary set, you will need to trim down the binaries you have built to include only the dynamic libraries and only bare essentials needed to run the mechanism:

7.1. Automatic build

The macos-ui directory in the moonshot-ui/ tree has a Makefile that will automatically run all the build steps in Section 7.2.

  1. Change to the macos-ui directory, run make installer.
  2. The final result should be a signed (if you chose to use Apple Developer ID support) Moonshot.dmg file in the macos-ui directory.

7.2. Manual build

7.2.1. Create the distribution archive for the mechanism

  1. Make a copy of the /usr/local directory into the Installer directory as the privileged user.

    macos-ui$ mkdir -p Installer/local
    macos-ui$ sudo cp -R /usr/local/* Installer/local
    macos-ui$ sudo chown -R `whoami` Installer/local
  2. Once the duplication process is complete, change to the Installer/local directory and remove everything except the following in the tree:

    .
    ./lib
    ./lib/gss
    ./lib/gss/mech_eap.so
    ./lib/libffi.6.dylib
    ./lib/libffi.dylib
    ./lib/libintl.8.dylib
    ./lib/libintl.dylib
    ./lib/libpcre.1.dylib
    ./lib/libpcre.dylib
    ./moonshot
    ./moonshot/bin
    ./moonshot/bin/c_rehash
    ./moonshot/bin/certs
    ./moonshot/bin/dbus-binding-tool
    ./moonshot/bin/dbus-cleanup-sockets
    ./moonshot/bin/dbus-daemon
    ./moonshot/bin/dbus-launch
    ./moonshot/bin/dbus-monitor
    ./moonshot/bin/dbus-run-session
    ./moonshot/bin/dbus-send
    ./moonshot/bin/dbus-test-tool
    ./moonshot/bin/dbus-update-activation-environment
    ./moonshot/bin/dbus-uuidgen
    ./moonshot/bin/event_rpcgen.py
    ./moonshot/bin/gdbus
    ./moonshot/bin/gdbus-codegen
    ./moonshot/bin/misc
    ./moonshot/bin/misc/c_hash
    ./moonshot/bin/misc/c_info
    ./moonshot/bin/misc/c_issuer
    ./moonshot/bin/misc/c_name
    ./moonshot/bin/misc/CA.pl
    ./moonshot/bin/misc/CA.sh
    ./moonshot/bin/misc/tsget
    ./moonshot/bin/openssl
    ./moonshot/bin/openssl.cnf
    ./moonshot/bin/private
    ./moonshot/lib
    ./moonshot/lib/engines
    ./moonshot/lib/engines/lib4758cca.dylib
    ./moonshot/lib/engines/libaep.dylib
    ./moonshot/lib/engines/libatalla.dylib
    ./moonshot/lib/engines/libcapi.dylib
    ./moonshot/lib/engines/libchil.dylib
    ./moonshot/lib/engines/libcswift.dylib
    ./moonshot/lib/engines/libgmp.dylib
    ./moonshot/lib/engines/libgost.dylib
    ./moonshot/lib/engines/libnuron.dylib
    ./moonshot/lib/engines/libpadlock.dylib
    ./moonshot/lib/engines/libsureware.dylib
    ./moonshot/lib/engines/libubsec.dylib
    ./moonshot/lib/libconfuse.2.dylib
    ./moonshot/lib/libconfuse.dylib
    ./moonshot/lib/libcrypto.1.0.0.dylib
    ./moonshot/lib/libcrypto.dylib
    ./moonshot/lib/libdbus-1.3.dylib
    ./moonshot/lib/libdbus-1.dylib
    ./moonshot/lib/libdbus-glib-1.2.dylib
    ./moonshot/lib/libdbus-glib-1.dylib
    ./moonshot/lib/libevent-2.1.6.dylib
    ./moonshot/lib/libevent.dylib
    ./moonshot/lib/libevent_core-2.1.6.dylib
    ./moonshot/lib/libevent_core.dylib
    ./moonshot/lib/libevent_extra-2.1.6.dylib
    ./moonshot/lib/libevent_extra.dylib
    ./moonshot/lib/libevent_openssl-2.1.6.dylib
    ./moonshot/lib/libevent_openssl.dylib
    ./moonshot/lib/libevent_pthreads-2.1.6.dylib
    ./moonshot/lib/libevent_pthreads.dylib
    ./moonshot/lib/libgio-2.0.0.dylib
    ./moonshot/lib/libgio-2.0.dylib
    ./moonshot/lib/libglib-2.0.0.dylib
    ./moonshot/lib/libglib-2.0.dylib
    ./moonshot/lib/libgmodule-2.0.0.dylib
    ./moonshot/lib/libgmodule-2.0.dylib
    ./moonshot/lib/libgobject-2.0.0.dylib
    ./moonshot/lib/libgobject-2.0.dylib
    ./moonshot/lib/libgthread-2.0.0.dylib
    ./moonshot/lib/libgthread-2.0.dylib
    ./moonshot/lib/libjansson.4.dylib
    ./moonshot/lib/libjansson.dylib
    ./moonshot/lib/libmoonshot.0.dylib
    ./moonshot/lib/libmoonshot.1.dylib
    ./moonshot/lib/libmoonshot.dylib
    ./moonshot/lib/libradsec.0.dylib
    ./moonshot/lib/libradsec.dylib
    ./moonshot/lib/libssl.1.0.0.dylib
    ./moonshot/lib/libssl.dylib
    ./moonshot/libexec
    ./moonshot/libexec/dbus-daemon-launch-helper
    ./moonshot/org.freedesktop.dbus-session.plist
    ./moonshot/share
    ./moonshot/share/dbus-1
    ./moonshot/share/dbus-1/services
    ./moonshot/share/dbus-1/session.conf
    ./moonshot/share/dbus-1/session.d
    ./moonshot/share/dbus-1/system-services
    ./moonshot/share/dbus-1/system.conf
    ./moonshot/share/dbus-1/system.d
    ./moonshot/share/xml
    ./moonshot/share/xml/dbus-1
    ./moonshot/share/xml/dbus-1/busconfig.dtd
    ./moonshot/share/xml/dbus-1/introspect.dtd
    ./moonshot/var
    ./moonshot/var/lib
    ./moonshot/var/lib/dbus
    ./moonshot/var/run
    ./moonshot/var/run/dbus

    Sample commands

    Below are some sample commands that do the trimming for you. Save the above list in a file called 'filelist.txt' in your <new location> parent directory. Then execute these:

    $ cd Installer/local
    local$ rm -rff $(ls |grep -v moonshot |grep -v lib)
    local$ for i in $(find . \( -type f -o -type l \)) ; do if [ -z "$(fgrep $i ../../filemanifest.txt)" ]; then rm -f "$i"; fi; done
    local$ for i in $(find . -type d |awk '{ print length, $0 }' |sort -nr -s |cut -d" " -f2-) ; do if [ -z "$(fgrep $i ../../filemanifest.txt)" ]; then rmdir "$i"; fi; done

    A 'find .' command should yield the same list as the above.

  3. Now use tar to package up the contents of your distribution directory.

    local$ tar -zcvf local.tar.gz ./

    You should have a tarball around 4.1 MB in size.

  4. Now move local.tar.gz to the ui/macos-ui/Installer directory:

    local$ mv local.tar.gz ../
    local$ cd ../..

7.2.2. The Moonshot Uninstaller utility

The Uninstaller utility is an Xcode project.

  1. Build the Uninstaller utility:

    moonshot-ui$ make uninstaller-bundle
  2. Pay attention to the output the make uninstaller-bundle command provides. You should see something similar to this to show that the build has copied the entitlements and has signed the application:

    ProcessProductPackaging "" build/Uninstall\ Moonshot.build/Release/Uninstall\ Moonshot.build/Uninstall\ Moonshot.app.xcent
        cd /.../macos-ui/Uninstaller
    
    Entitlements:
    {
        "com.apple.security.app-sandbox" = 0;
        "com.apple.security.files.user-selected.read-only" = 0;
    }
    
        builtin-productPackagingUtility -entitlements -format xml -o /.../macos-ui/Uninstaller/build/Uninstall\ Moonshot.build/Release/Uninstall\ Moonshot.build/Uninstall\ Moonshot.app.xcent
    CodeSign build/Release/Uninstall\ Moonshot.app
        cd /.../macos-ui/Uninstaller
        export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
    Signing Identity:     "Developer ID Application: <your Apple Developer ID Application signing certificate CN here>"
  3. If Xcode did not sign the code and you did not disable Apple Developer ID checks in Section 5.2, Step 2, sign it manually:

    moonshot-ui$ codesign --force --sign "<your Apple Developer ID Application signing certificate CN here>" "macos-ui/build/Release/Uninstall Moonshot.app"
  4. Verify the signing with the following command; you should have lines like these:

    moonshot-ui$ codesign -dv --verbose=4 "macos-ui/Uninstaller/build/Release/Uninstall Moonshot.app"
    :
    Authority=Developer ID Certification Authority
    Authority=Apple Root CA
    Signed Time=16 Jan 2019, 11:24:21
    Info.plist entries=24
    TeamIdentifier=<your Apple Developer team ID here>
    :
  5. The Uninstall Moonshot app will be in the ui/macos-ui/Uninstaller/build/Release directory. You can then copy it from there to the /Applications folder.

7.2.3. The Moonshot Installer

The Moonshot installer contains the distribution archive, the uninstaller utility, and the Moonshot identity selector.

  1. Change to the Installer folder:

    $ cd ui/macos-ui/Installer
  2. Copy the Moonshot identity selector app from the Applications folder to the LatestBuild directory
  3. Copy the Uninstall Moonshot app from the ui/macos-ui/Uninstaller/build/Release directory to the LatestBuild directory
  4. Copy the distribution archive you created in Section 8.1 to this directory, replacing the existing local.tar.gz file.
  5. Build the installer:

    Installer$ mkdir Moonshot
    Installer$ packagesbuild Moonshot.pkgproj
    Installer$ productsign --sign "<your Apple Developer ID Installer signing certificate CN here>" Moonshot.pkg Moonshot/Moonshot.pkg
  6. Create the Moonshot distribution disk image:

    Installer$ chmod +x create-dmg.sh
    Installer$ create-dmg.sh --volname "Moonshot" \
    		--volicon moonshot-dmg-volumeicons.icns \
    		--background moonshot-dmg-background-with-start.png \
    		--no-internet-enable --window-size 400 273 --icon-size 64 --text-size 14 \
    		--icon "Moonshot.pkg" 160 48 --hide-extension "Moonshot.pkg" \
    		Moonshot.dmg Moonshot/
    Installer$ codesign --sign "<your Apple Developer ID Application signing certificate CN here>" Moonshot.dmg
  7. Copy the resulting Moonshot.dmg to your distribution point.
  8. Generate a checksum for Moonshot.dmg with the following command:

    $ shasum -a 256 Moonshot.dmg

8. Issues

Current issues with this build include that the macOS SSH client abandons any gssapi-with-mic conversations if the first mechanism it chooses, fails.

In a domain environment, this usually involves a Kerberos interaction, i.e. where you have received a Kerberos ticket before by logging in or by running kinit. Other ssh clients (or a custom build of the ssh client) may not exhibit this behaviour.

On macOS Sierra and later, the native SSH client is sandboxed when run from its default location in /usr/bin. Making a copy of the binary in /usr/local/bin enables it to authenticate with Moonshot. Adjust /etc/paths to load binaries in /usr/local/bin first, then restart your sessions.

Currently the Moonshot Identity Manager (Moonshot.app) is not signed during the automatic build. This is due to Apple sandboxing the app when it is signed, making it impossible for it to communicate with Dbus (and by extension, the Moonshot mechanism). Not signing the app allows Moonshot authentication to proceed.

  • No labels