Compiling p11-kit from Source

This describes how to compiling the p11-kit package from source code. This is normally only necessary for those wishing to contribute to the project or package p11-kit.

You can download tarballs of the releases of p11-kit or check out the source code from git. This documentation will not go into all the details of how to get your development environment set up and instead focus on the what's unique to compiling p11-kit.

Building on UNIX

p11-kit uses the standard GNU build system, using autoconf for package configuration and resolving portability issues, automake for building makefiles that comply with the GNU Coding Standards, and libtool for building shared libraries on multiple platforms. The normal sequence for compiling and installing the p11-kit library is thus:

$ ./configure --prefix=/path/to/prefix ...
$ make
$ make install

If you've checked out the source code from git, then the configure script does not yet exist. So use the following instead:

$ ./autogen.sh --prefix=/path/to/prefix ...
$ make
$ make install

The standard options provided by GNU autoconf may be passed to the configure script. Please see the autoconf documentation or run ./configure --help for information about the standard options. In particular you probably want to adjust the --prefix=/xxx argument depending on your system and development environment.

Optional Dependencies

On a modern GNU Linux system, p11-kit has no required dependencies other than the standard C library. However on older UNIX systems, some of the following may be required.

  • gettext is required if your system doesn't have the gettext() functionality for handling message translation databases. This can be provided by the libintl library from the GNU gettext package.

  • pthread is required if your (ancient) system doesn't have this included in the base system. How this is provided is platform specific.

In addition p11-kit has several optional dependencies. If these are not available during the build, then certain features will be disabled.

  • libffi for sharing of PKCS#11 modules between multiple callers in the same process. It is highly recommended that this dependency be treated as a required dependency.

  • gtk-doc is required to build the reference manual. Use --enable-doc to control this dependency.

  • xsltproc is required to build the command manual pages. Use --enable-doc to control this dependency.

  • libtasn1 is required to build the trust module and code that interacts with certificates.

  • freebl3 (developed as part of the NSS code base) is an optional dependency that may be used to meet policy requirements of system builders. Enabling this dependency provides no other advantage.

Extra Configuration Options

In addition to the normal options, the configure script in the p11-kit library supports these additional arguments:

--disable-trust-module

Disables building of the trust policy module.

--disable-debug, --enable-debug

By default p11-kit is built with debug symbols assertions and and precondition checks. Enabling the debug option configures even more detailed debug build, including disabling optimization. Disabling the debug option is not recommended, as it disables all assertions, preconditions and internal consistency checks, although it may result it a slightly faster library.

--enable-doc

Enables building of the documentation and command line manual. The documentation is built in the doc/html/ directory of the build. Requires the gtk-doc and xsltproc dependencies.

--enable-strict

Enables strict checks during building of p11-kit. All compiler warnings become errors.

--with-hash-impl=freebl

Instead of using internal hash code, link to the freebl3 library and use its hash implementations. The only advantage this brings is to meet the policy requirements of system builders.

--with-libtasn1, --without-libtasn1

Build with a dependency on the libtasn1 library. This dependency allows the trust policy module to be built as well as other code that interacts with certificates.

--with-module-path

Specify the path to look for PKCS#11 modules which were listed in a module config file with a relative path.

--with-trust-paths

Specify the files or directories to look for certificate anchors and blocklists. Multiple files and/or directories are specified with a : in between them. The first path has the highest priority when searching for certificates.

--with-system-config

Specify the path to look for p11-kit config files. This usually defaults to something like /etc/pkcs11

--with-user-config

Specify the path to look for user specific p11-kit config files. If specify a path that begins with ~/ then this is expanded to the home directory of the user running p11-kit. If you specify a path that begins with ~/.config/ then this is expanded to the $XDG_CONFIG_HOME directory, as outlined in the XDG Base Dir specification. This option defaults to ~/.pkcs11