Reminder to self about how to build get-cert for Mac OSX Two machines, Intel and PPC, are currently needed to build get-cert for the Mac because the NSS code from Mozilla is not able to compile i386 code on the PPC architecture. It fails with an asm command. ~/coding is where all the code sits. Universal binaries need to be made for all the utilities that come with get-cert. These include the following. Network Security Services (NSS) from Mozilla - certutil - pk12util kx509 from University of Michigan - kxlist - kx509 First, build the NSS code from Mozilla. If you blow away the code in the ~/coding directory for NSS, you can redownload the code. Currently the code can be obtained from here. ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ As of 10-16-2006, I am using version 3.11.3, so go to the following directory in this FTP space. NSS_3_11_3_RTM/src Download the file nss-3.11.3-with-nspr-4.6.3.tar.gz Extract it and step into the directory. gmake must be used according to Mozilla, and since it doesn't come standard on OSX, you can install it from DarwinPorts. Install DarwinPorts and then use the port command as root sudo port install gmake After gmake is installed, change to the mozilla/security/nss directory and run the following command gmake nss_build_all This will build all the necessary binaries for your architecture and place them in the cmd/ directory. You only need to copy out the binaries for pk12util and certutil. They are located here mozilla/security/nss/cmd/pk12util/Darwin8.8.0_DBG.OBJ/pk12util mozilla/security/nss/cmd/certutil/Darwin8.8.0_DBG.OBJ/certutil Copy them to the ~/coding/get-cert/$ARCH/ folder. You'll need to build these binaries on both an Intel and a PPC machine. Next you need to compile the kx509 and kxlist tools. Luckily, you can crosscompile these tools on a single architecture. I used PPC, but I believe Intel would work equally fine. Download the kx509 code from the University of Michigan CITI site. http://www.citi.umich.edu/projects/kerb_pki/ and the current release can be gotten here http://www.citi.umich.edu/projects/kerb_pki/kx509.dist20031111.tar.gz Untar it to a folder and step into it. Create a folder called 'osx' and change into it. Paste the following command, all on one line. env CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch i386 -arch ppc -DBIND_8_COMPAT -Ddarwin" \ LDFLAGS="-arch i386 -arch ppc" ../src/configure --with-krb5=/usr This will configure kx509 to build. Note that if you forget the two -D arguments, kx509 will FAIL to build. Randy was smart enough to find the solution and adding the -D arguments was it. Once it configures, make it make When you're done, you'll have kx509 and kxlist universal binaries in your osx directory Copy those binaries into the ~/coding/get-cert/universal directory Now you need to combine the PPC and i386 builds of pk12util and certutil into one universal binary Change to the ~/coding/get-cert/ directory and run the following commands lipo -create i386/pk12util ppc/pk12util -output universal/pk12util lipo -create i386/certutil ppc/certutil -output universal/certutil This will create the needed universal binaries and place them in the universal/ directory. Now, you want to go about making the get-cert package for release. First, copy all the binaries in universal/ into the folder ~/coding/get-cert/distro/get-cert/mac_osx. Now, you need to tar everything up. Change into the ~coding/get-cert/distro folder and run the following command ./make-get-cert This will create the tarball which can then be distributed to the world.