Surprisingly, AWS has chosen not to include a package for libsodium in its latest releases of Amazon Linux 2022 (even though it was included in Amazon Linux 2, and in Amazon Linux 2022 pre-releases until June 2022). Fortunately, libsodium is easy enough to build and install yourself. Here’s how to do it on Amazon Linux 2022:
To build libsodium, you’ll first need to have the
wget packages installed:
$ sudo dnf install gcc make wget Dependencies resolved. ... Install 23 Packages Total download size: 55 M Installed size: 183 M Is this ok [y/N]: y ... Complete!
Next, download the latest versioned release from the libsodium releases archive:
$ wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.18.tar.gz ... ‘libsodium-1.0.18.tar.gz’ saved [1919817/1919817]
Tarballs listed in the libsodium releases archive with no suffix (eg
See the libsodium releases README for further details.
Next, import the GPG keys for Frank Denis (libsodium’s maintainer); either copying them from the Integrity Checking section of libsodium’s Installation page, or downloading them directly from his personal site:
$ wget https://download.pureftpd.org/public_keys/jedi.gpg.asc -O - | gpg --import - ... (436 MB/s) - written to stdout [8879/8879] gpg: key 210627AABA709FE1: 3 signatures not checked due to missing keys gpg: key 210627AABA709FE1: public key "Frank Denis <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found
Then verify the tarball you just downloaded in the previous step with these keys:
$ wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.18.tar.gz.sig -O - | gpg --verify - libsodium-1.0.18.tar.gz ... (33.4 MB/s) - written to stdout [566/566] gpg: Signature made Thu 30 May 2019 09:00:08 PM UTC gpg: using RSA key 0C7983A8FD9A104C623172CB62F25B592B6F76DA gpg: Good signature from "Frank Denis <email@example.com>" [unknown] gpg: aka "Frank Denis (Jedi/Sector One) <firstname.lastname@example.org>" [unknown] gpg: aka "Frank Denis (Jedi/Sector One) <email@example.com>" [unknown] gpg: aka "Frank Denis <firstname.lastname@example.org>" [unknown] gpg: aka "Frank Denis <email@example.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 54A2 B889 2CC3 D6A5 97B9 2B6C 2106 27AA BA70 9FE1 Subkey fingerprint: 0C79 83A8 FD9A 104C 6231 72CB 62F2 5B59 2B6F 76DA
The important part of the resulting verification message is that you have a
Good signature from a known, expected key fingerprint (
0C79 83A8 FD9A 104C 6231 72CB 62F2 5B59 2B6F 76DA). The other bits of the output are relevant only if you’ve fiddled enough with your GPG trust DB to in order to set a trust level for the key.
Now you can extract the libsodium tarball, and run through libsodium’s build steps:
First, extract the tarball and enter its root directory:
$ tar xf libsodium-1.0.18.tar.gz $ cd libsodium-1.0.18
Then run the configuration script:
$ ./configure checking build system type... aarch64-unknown-linux-gnu ... config.status: executing libtool commands
Next, build the library and run its validation test suite (these steps may take a minute or two on slower hardware):
$ make && make check Making all in builds make: Entering directory '/home/ec2-user/libsodium-1.0.18/builds' ... make: Leaving directory '/home/ec2-user/libsodium-1.0.18' Making check in builds make: Entering directory '/home/ec2-user/libsodium-1.0.18/builds' ... make: Leaving directory '/home/ec2-user/libsodium-1.0.18/test/default' make check-TESTS make: Entering directory '/home/ec2-user/libsodium-1.0.18/test/default' make: Entering directory '/home/ec2-user/libsodium-1.0.18/test/default' PASS: aead_aes256gcm PASS: aead_aes256gcm2 ... PASS: siphashx24 PASS: xchacha20 ============================================================================ Testsuite summary for libsodium 1.0.18 ============================================================================ # TOTAL: 77 # PASS: 77 # SKIP: 0 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ============================================================================ make: Leaving directory '/home/ec2-user/libsodium-1.0.18/test/default' ... make: Leaving directory '/home/ec2-user/libsodium-1.0.18'
The result of these commands should be that all the tests in the test suite pass.
Finally, install the built library binary into your
/usr/local/lib directory (and its corresponding header files into the
/usr/local/include directory) with the following command:
$ sudo make install Making install in builds make: Entering directory '/home/ec2-user/libsodium-1.0.18/builds' ... Libraries have been installed in: /usr/local/lib ... make: Leaving directory '/home/ec2-user/libsodium-1.0.18'
The last step needed is to update the system’s dynamic library linker with the new library.
Run the following command to add
/usr/local/lib to the system’s trusted library paths:
$ echo /usr/local/lib | sudo tee /etc/ld.so.conf.d/local.conf /usr/local/lib
Then run the
ldconfig command to update the linker’s cache:
$ sudo ldconfig
Check for libsodium in the linker’s cache with the following command:
$ ldconfig -p | grep libsodium libsodium.so.23 (libc6,AArch64) => /usr/local/lib/libsodium.so.23 libsodium.so (libc6,AArch64) => /usr/local/lib/libsodium.so
Now libsodium should be available for use on the system!
You can now compile and run various other programs that rely on libsodium. One such program is Minisign (which allows for signing and verifying files with less fuss than GPG). You can build and install it on Amazon Linux 2022 like the following:
First, install the
Dependencies resolved. ... Install 9 Packages Total download size: 7.3 M Installed size: 28 M Is this ok [y/N]: y ... Complete!
Next, download the latest tarball from the Minisign releases archive:
$ wget https://github.com/jedisct1/minisign/archive/refs/tags/0.10.tar.gz ... (1.85 MB/s) - ‘0.10.tar.gz’ saved 
Extract the tarball and enter its root directory:
$ tar xf 0.10.tar.gz $ cd minisign-0.10
From there, create a new
build directory, and run
cmake in it:
$ mkdir build && cd build $ cmake .. CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required): ... -- Build files have been written to: /home/ec2-user/minisign-0.10/build
Then run the
Makefile that’s been generated in the
$ make [ 20%] Building C object CMakeFiles/minisign.dir/src/base64.c.o [ 40%] Building C object CMakeFiles/minisign.dir/src/get_line.c.o [ 60%] Building C object CMakeFiles/minisign.dir/src/helpers.c.o [ 80%] Building C object CMakeFiles/minisign.dir/src/minisign.c.o [100%] Linking C executable minisign [100%] Built target minisign
Finally, install the built
minisign executable (to your
$ sudo make install Consolidate compiler generated dependencies of target minisign [100%] Built target minisign Install the project... -- Install configuration: "MinSizeRel" -- Installing: /usr/local/bin/minisign -- Set runtime path of "/usr/local/bin/minisign" to "" -- Installing: /usr/local/share/man/man1/minisign.1
Minisign is now installed and available on the system!:
$ minisign -v minisign 0.10