Installing Libsodium on Amazon Linux 2023
Surprisingly, AWS has chosen not to include a package for libsodium in its latest releases of Amazon Linux 2023 (even though it was included in Amazon Linux 2, and in Amazon Linux 2023 pre-releases until June 2022). Fortunately, libsodium is easy enough to build and install yourself. Here’s how to do it on Amazon Linux 2023:
Install Prerequisites
To build libsodium, you’ll first need to have the gcc, make, and wget packages installed:
$ sudo dnf install gcc make wget
Dependencies resolved.
...
Install 23 Packages
Total download size: 55 M
Installed size: 183 M
Is this ok [y/N]: y
...
Complete!Download Release
Next, download the latest versioned release from the libsodium releases archive:
$ wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.18.tar.gz
...
‘libsodium-1.0.18.tar.gz’ saved [1919817/1919817]|
Note
|
Tarballs listed in the libsodium releases archive with no suffix (eg See the libsodium releases README for further details. |
Verify Signature
Next, import the GPG keys for Frank Denis (libsodium’s maintainer); either copying them from the Integrity Checking section of libsodium’s Installation page, or downloading them directly from his personal site:
$ wget https://download.pureftpd.org/public_keys/jedi.gpg.asc -O - | gpg --import -
...
(436 MB/s) - written to stdout [8879/8879]
gpg: key 210627AABA709FE1: 3 signatures not checked due to missing keys
gpg: key 210627AABA709FE1: public key "Frank Denis <opstrust@pureftpd.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys foundThen verify the tarball you just downloaded in the previous step with these keys:
$ wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.18.tar.gz.sig -O - | gpg --verify - libsodium-1.0.18.tar.gz
...
(33.4 MB/s) - written to stdout [566/566]
gpg: Signature made Thu 30 May 2019 09:00:08 PM UTC
gpg: using RSA key 0C7983A8FD9A104C623172CB62F25B592B6F76DA
gpg: Good signature from "Frank Denis <opstrust@pureftpd.org>" [unknown]
gpg: aka "Frank Denis (Jedi/Sector One) <0daydigest@pureftpd.org>" [unknown]
gpg: aka "Frank Denis (Jedi/Sector One) <j@pureftpd.org>" [unknown]
gpg: aka "Frank Denis <github@pureftpd.org>" [unknown]
gpg: aka "Frank Denis <frank.denis@corp.ovh.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 54A2 B889 2CC3 D6A5 97B9 2B6C 2106 27AA BA70 9FE1
Subkey fingerprint: 0C79 83A8 FD9A 104C 6231 72CB 62F2 5B59 2B6F 76DAThe important part of the resulting verification message is that you have a Good signature from a known, expected key fingerprint (0C79 83A8 FD9A 104C 6231 72CB 62F2 5B59 2B6F 76DA). The other bits of the output are relevant only if you’ve fiddled enough with your GPG trust DB to in order to set a trust level for the key.
Build & Install
Now you can extract the libsodium tarball, and run through libsodium’s build steps:
First, extract the tarball and enter its root directory:
$ tar xf libsodium-1.0.18.tar.gz
$ cd libsodium-1.0.18Then run the configuration script:
$ ./configure
checking build system type... aarch64-unknown-linux-gnu
...
config.status: executing libtool commandsNext, build the library and run its validation test suite (these steps may take a minute or two on slower hardware):
$ make && make check
Making all in builds
make[1]: Entering directory '/home/ec2-user/libsodium-1.0.18/builds'
...
make[1]: Leaving directory '/home/ec2-user/libsodium-1.0.18'
Making check in builds
make[1]: Entering directory '/home/ec2-user/libsodium-1.0.18/builds'
...
make[3]: Leaving directory '/home/ec2-user/libsodium-1.0.18/test/default'
make check-TESTS
make[3]: Entering directory '/home/ec2-user/libsodium-1.0.18/test/default'
make[4]: Entering directory '/home/ec2-user/libsodium-1.0.18/test/default'
PASS: aead_aes256gcm
PASS: aead_aes256gcm2
...
PASS: siphashx24
PASS: xchacha20
============================================================================
Testsuite summary for libsodium 1.0.18
============================================================================
# TOTAL: 77
# PASS: 77
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
make[4]: Leaving directory '/home/ec2-user/libsodium-1.0.18/test/default'
...
make[1]: Leaving directory '/home/ec2-user/libsodium-1.0.18'The result of these commands should be that all the tests in the test suite pass.
Finally, install the built library binary into your /usr/local/lib directory (and its corresponding header files into the /usr/local/include directory) with the following command:
$ sudo make install
Making install in builds
make[1]: Entering directory '/home/ec2-user/libsodium-1.0.18/builds'
...
Libraries have been installed in:
/usr/local/lib
...
make[1]: Leaving directory '/home/ec2-user/libsodium-1.0.18'Update Library Paths
The last step needed is to update the system’s dynamic library linker with the new library.
Run the following command to add /usr/local/lib to the system’s trusted library paths:
$ echo /usr/local/lib | sudo tee /etc/ld.so.conf.d/local.conf
/usr/local/libThen run the ldconfig command to update the linker’s cache:
$ sudo ldconfigCheck for libsodium in the linker’s cache with the following command:
$ ldconfig -p | grep libsodium
libsodium.so.23 (libc6,AArch64) => /usr/local/lib/libsodium.so.23
libsodium.so (libc6,AArch64) => /usr/local/lib/libsodium.soNow libsodium should be available for use on the system!
Bonus: Build & Install Minisign
You can now compile and run various other programs that rely on libsodium. One such program is Minisign (which allows for signing and verifying files with less fuss than GPG). You can build and install it on Amazon Linux 2023 like the following:
First, install the cmake package:
Dependencies resolved.
...
Install 9 Packages
Total download size: 7.3 M
Installed size: 28 M
Is this ok [y/N]: y
...
Complete!Next, download the latest tarball from the Minisign releases archive:
$ wget https://github.com/jedisct1/minisign/archive/refs/tags/0.10.tar.gz
...
(1.85 MB/s) - ‘0.10.tar.gz’ saved [18242]Extract the tarball and enter its root directory:
$ tar xf 0.10.tar.gz
$ cd minisign-0.10From there, create a new build directory, and run cmake in it:
$ mkdir build && cd build
$ cmake ..
CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required):
...
-- Build files have been written to: /home/ec2-user/minisign-0.10/buildThen run the Makefile that’s been generated in the build directory:
$ make
[ 20%] Building C object CMakeFiles/minisign.dir/src/base64.c.o
[ 40%] Building C object CMakeFiles/minisign.dir/src/get_line.c.o
[ 60%] Building C object CMakeFiles/minisign.dir/src/helpers.c.o
[ 80%] Building C object CMakeFiles/minisign.dir/src/minisign.c.o
[100%] Linking C executable minisign
[100%] Built target minisignFinally, install the built minisign executable (to your /usr/local/bin directory):
$ sudo make install
Consolidate compiler generated dependencies of target minisign
[100%] Built target minisign
Install the project...
-- Install configuration: "MinSizeRel"
-- Installing: /usr/local/bin/minisign
-- Set runtime path of "/usr/local/bin/minisign" to ""
-- Installing: /usr/local/share/man/man1/minisign.1Minisign is now installed and available on the system!:
$ minisign -v
minisign 0.10