Installing Libsodium on Amazon Linux 2023

Surprisingly, AWS has chosen not to include a package for libsodium in its latest releases of Amazon Linux 2023 (even though it was included in Amazon Linux 2, and in Amazon Linux 2023 pre-releases until June 2022). Fortunately, libsodium is easy enough to build and install yourself. Here’s how to do it on Amazon Linux 2023:

Install Prerequisites

To build libsodium, you’ll first need to have the gcc, make, and wget packages installed:

$ sudo dnf install gcc make wget
Dependencies resolved.
...
Install  23 Packages

Total download size: 55 M
Installed size: 183 M
Is this ok [y/N]: y
...
Complete!

Download Release

Next, download the latest versioned release from the libsodium releases archive:

$ wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.18.tar.gz
...
‘libsodium-1.0.18.tar.gz’ saved [1919817/1919817]
Note

Tarballs listed in the libsodium releases archive with no suffix (eg libsodium-1.0.18.tar.gz) contain the source code corresponding to a versioned release. Tarballs with the latest version number and the -stable suffix (eg libsodium-1.0.18-stable.tar.gz) contain the current snapshot of the source code from the project’s stable branch (under other common versioning schemes, a tarball like this would instead use an alpha or SNAPSHOT suffix and the next release number, eg libsodium-1.0.19-alpha.tar.gz or libsodium-1.0.19-SNAPSHOT.tar.gz). Tarballs with the -mingw or -msvc suffix contain Windows binaries.

See the libsodium releases README for further details.

Verify Signature

Next, import the GPG keys for Frank Denis (libsodium’s maintainer); either copying them from the Integrity Checking section of libsodium’s Installation page, or downloading them directly from his personal site:

$ wget https://download.pureftpd.org/public_keys/jedi.gpg.asc -O - | gpg --import -
...
(436 MB/s) - written to stdout [8879/8879]

gpg: key 210627AABA709FE1: 3 signatures not checked due to missing keys
gpg: key 210627AABA709FE1: public key "Frank Denis <opstrust@pureftpd.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found

Then verify the tarball you just downloaded in the previous step with these keys:

$ wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.18.tar.gz.sig -O - | gpg --verify - libsodium-1.0.18.tar.gz
...
(33.4 MB/s) - written to stdout [566/566]

gpg: Signature made Thu 30 May 2019 09:00:08 PM UTC
gpg:                using RSA key 0C7983A8FD9A104C623172CB62F25B592B6F76DA
gpg: Good signature from "Frank Denis <opstrust@pureftpd.org>" [unknown]
gpg:                 aka "Frank Denis (Jedi/Sector One) <0daydigest@pureftpd.org>" [unknown]
gpg:                 aka "Frank Denis (Jedi/Sector One) <j@pureftpd.org>" [unknown]
gpg:                 aka "Frank Denis <github@pureftpd.org>" [unknown]
gpg:                 aka "Frank Denis <frank.denis@corp.ovh.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 54A2 B889 2CC3 D6A5 97B9  2B6C 2106 27AA BA70 9FE1
     Subkey fingerprint: 0C79 83A8 FD9A 104C 6231  72CB 62F2 5B59 2B6F 76DA

The important part of the resulting verification message is that you have a Good signature from a known, expected key fingerprint (0C79 83A8 FD9A 104C 6231 72CB 62F2 5B59 2B6F 76DA). The other bits of the output are relevant only if you’ve fiddled enough with your GPG trust DB to in order to set a trust level for the key.

Build & Install

Now you can extract the libsodium tarball, and run through libsodium’s build steps:

First, extract the tarball and enter its root directory:

$ tar xf libsodium-1.0.18.tar.gz
$ cd libsodium-1.0.18

Then run the configuration script:

$ ./configure
checking build system type... aarch64-unknown-linux-gnu
...
config.status: executing libtool commands

Next, build the library and run its validation test suite (these steps may take a minute or two on slower hardware):

$ make && make check
Making all in builds
make[1]: Entering directory '/home/ec2-user/libsodium-1.0.18/builds'
...
make[1]: Leaving directory '/home/ec2-user/libsodium-1.0.18'
Making check in builds
make[1]: Entering directory '/home/ec2-user/libsodium-1.0.18/builds'
...
make[3]: Leaving directory '/home/ec2-user/libsodium-1.0.18/test/default'
make  check-TESTS
make[3]: Entering directory '/home/ec2-user/libsodium-1.0.18/test/default'
make[4]: Entering directory '/home/ec2-user/libsodium-1.0.18/test/default'
PASS: aead_aes256gcm
PASS: aead_aes256gcm2
...
PASS: siphashx24
PASS: xchacha20
============================================================================
Testsuite summary for libsodium 1.0.18
============================================================================
# TOTAL: 77
# PASS:  77
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
make[4]: Leaving directory '/home/ec2-user/libsodium-1.0.18/test/default'
...
make[1]: Leaving directory '/home/ec2-user/libsodium-1.0.18'

The result of these commands should be that all the tests in the test suite pass.

Finally, install the built library binary into your /usr/local/lib directory (and its corresponding header files into the /usr/local/include directory) with the following command:

$ sudo make install
Making install in builds
make[1]: Entering directory '/home/ec2-user/libsodium-1.0.18/builds'
...
Libraries have been installed in:
   /usr/local/lib
...
make[1]: Leaving directory '/home/ec2-user/libsodium-1.0.18'

Update Library Paths

The last step needed is to update the system’s dynamic library linker with the new library.

Run the following command to add /usr/local/lib to the system’s trusted library paths:

$ echo /usr/local/lib | sudo tee /etc/ld.so.conf.d/local.conf
/usr/local/lib

Then run the ldconfig command to update the linker’s cache:

$ sudo ldconfig

Check for libsodium in the linker’s cache with the following command:

$ ldconfig -p | grep libsodium
    libsodium.so.23 (libc6,AArch64) => /usr/local/lib/libsodium.so.23
    libsodium.so (libc6,AArch64) => /usr/local/lib/libsodium.so

Now libsodium should be available for use on the system!

Bonus: Build & Install Minisign

You can now compile and run various other programs that rely on libsodium. One such program is Minisign (which allows for signing and verifying files with less fuss than GPG). You can build and install it on Amazon Linux 2023 like the following:

First, install the cmake package:

Dependencies resolved.
...
Install  9 Packages

Total download size: 7.3 M
Installed size: 28 M
Is this ok [y/N]: y
...
Complete!

Next, download the latest tarball from the Minisign releases archive:

$ wget https://github.com/jedisct1/minisign/archive/refs/tags/0.10.tar.gz
...
(1.85 MB/s) - ‘0.10.tar.gz’ saved [18242]

Extract the tarball and enter its root directory:

$ tar xf 0.10.tar.gz
$ cd minisign-0.10

From there, create a new build directory, and run cmake in it:

$ mkdir build && cd build
$ cmake ..
CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required):
...
-- Build files have been written to: /home/ec2-user/minisign-0.10/build

Then run the Makefile that’s been generated in the build directory:

$ make
[ 20%] Building C object CMakeFiles/minisign.dir/src/base64.c.o
[ 40%] Building C object CMakeFiles/minisign.dir/src/get_line.c.o
[ 60%] Building C object CMakeFiles/minisign.dir/src/helpers.c.o
[ 80%] Building C object CMakeFiles/minisign.dir/src/minisign.c.o
[100%] Linking C executable minisign
[100%] Built target minisign

Finally, install the built minisign executable (to your /usr/local/bin directory):

$ sudo make install
Consolidate compiler generated dependencies of target minisign
[100%] Built target minisign
Install the project...
-- Install configuration: "MinSizeRel"
-- Installing: /usr/local/bin/minisign
-- Set runtime path of "/usr/local/bin/minisign" to ""
-- Installing: /usr/local/share/man/man1/minisign.1

Minisign is now installed and available on the system!:

$ minisign -v
minisign 0.10