Building GnuPG for Win32 using MinGW

(instructions by Carlo Luciano Bianco <clbianco@tiscalinet.it>)

Version 1.0.0 FINAL...

... or, well, everything comes to an end. ;-)

Forewords to the FINAL version

Everything comes to an end: including the tutorial for native building GnuPG for Win32 using MinGW/MSYS. In fact, I took a decision: to freeze the tutorial web page as it is now (August 2015) without performing any further update. There are many reasons for this decision.

This tutorial, in fact, was born in completely different context than the one we are facing today. GnuPG 1.0.7 had been just released, but without an official Windows build. There were rumors that official Windows binaries would not be released any longer, and that Windows users would have need to build GnuPG for Windows by themselves from the official sources. This operation was not trivial at all, a Linux machine was needed and this, for many users, implied to create an ad-hoc partition on their hard disk (locking a relevant part of the small available space) to install Linux. In this context, an alternative route was tried: since there was a "minimal" Windows port of GCC (MinGW) and of some common Linux utilities (MSYS), to use these ones to build GnuPG natively within Windows. So the tutorial was born.

In all these years, however, the situation changed very much. First of all, the "danger" that we faced with GnuPG 1.0.7 does not exist anymore, and official binaries for Windows are always released for any GnuPG version. Therefore, hand-made builds are much less needed. Moreover, GCC for Windows is always in an everlasting "beta" stage, with strong limitations compared to the corresponding Linux versions. This also implies that installing and configuring a MinGW/MSYS system is not an easy task. Maybe it is also due to this (and to keep unnecessary complications out of the code base) that GnuPG developers never officially supported the native compilation, always preferring the cross-compilation from Linux. Things got even more complicate with the 2.x branch of GnuPG. This version is very different from the 1.x and, as a consequence, also due to the above mentioned limitations of GCC porting under Windows, native build of GnuPG 2.x at the present date is simply not possible (or anyway it is only with an unjustified effort). Updating the tutorial to support GnuPG 2.x is therefore unfeasible.

On the other hand, nowadays cross-compilation from Linux is much simpler than in the past. Anyone can download a program to create a virtual machine (e.g., VirtualBox), run inside it a live Linux, build GnuPG, and than delete completely the virtual machine without wasting even a single byte of the hard disk (although this is no longer a problem, now that hard disk sizes are measured in Terabytes). After all, the route which once was the most complex, when the tutorial was born, nowadays is the simplest one.

Therefore, I think that the tutorial fulfilled its own duties, and that it reached its retirement time. The web page will remain online as it is now, for "historical" reasons, and its version is "fixed" to "1.0.0 FINAL".

I take this occasion to thank very much once more all the friends that, both on the it.comp.sicurezza.crittografia newsgroup, and also contacting me directly via e-mail, gave hints, suggestions, made tests, etc., to make the tutorial as simple, clear and effective as possible, and who are recalled in the forewords of the tutorial itself.

0) Original forewords

This text describes the steps needed to build GnuPG for Win32 using MinGW in a native Win32 environment, without cross-compiling from a Linux system. These instructions refer to GnuPG 1.4.13 [I know, some images show 1.4.0, or even 1.2.6, but I am too lazy to recreate them every time... ;-)], but maybe they can also be applied, with some modification, to all the other 1.x versions since 1.2.0. Of course, I can't say anything about the future versions since (and including) 1.5.0...

In principle, with a similar procedure, it should also be possible to build GnuPG for Win64 using mingw-w64. Unfortunately, I have no access to a Win64 machine, and therefore I cannot test this possibility to describe in details the procedure.

Of course, this is just the description of the procedure I followed to build GnuPG for Win32. Probably it can be improved in some places. It is not sure that this procedure will work on your machines like it worked on mine and that it will not create you any problem. All that I can say is in the title of this page: following this procedure, "on my PC it worked, on yours I don't know". If you find errors of any kind in this text, please feel free to point them out to me.

Now, if you are not completely sure of what you are doing and/or you have doubts of any kind about the correctness of the obtained result, my suggestion is to avoid the "home-made" builds and to use the official binaries found on GnuPG web site.

If, on the contrary, you arrived up to this point in the text and you still want to try, then take a long breath, count up to 10, repeat loudly the English alphabet from "z" to "a" a couple of times, think to it again and, if you are still sure, then... well... in the following there are all the instructions you need!

Before starting, the author of this page wants to thank TJL73 who tested on his machine the correctness and completeness of the following procedure. The subtitle then can be read as "on our PCs it worked, on yours I don't know"... ;-)

The author wants to thank as well Joe Vender and Maxine Brandt, for their help in solving the compatibility problems between GnuPG and the external libraries for Win32, Tom Pegios, for his suggestions about a simpler way to remove debugging symbols, about statically linking libcurl and about the possibility to use mingw-w64, PIK, for pointing to my attention the existence of the TDM version of GCC for MinGW and for many discussions on the options to be passed to GCC to better optimize the code for different architectures, and Michel Nallino aka WinTerMiNator who, beside taking care of the French version of the page, gave also many suggestions to make its contents much more clear and complete even in the other languages... ;-)

These are the instructions. Good luck!

1) MinGW installation:

1.1) Go to the website http://sourceforge.net/projects/mingw/files/Installer/mingw-get-inst/ and download the last version of the installer (version 20111118 now when I am writing).

1.2) Start the installer, setting the destination to a folder with no spaces in the name (the default "C:\MinGW" is perfect). When asked about the "Repository catalogues", select "Download latest repository catalogues". In this way you will be sure to have the latest versions of the MinGW packages.

1.3) When selecting the packages to install, consider that only "C compiler" and "MSYS Basic System" are required to build GnuPG. Of course, you can install any other package you want.

1.4) Now you can run the MinGW Shell with the start menu icon.

1.5) At MinGW prompt, write "gcc -v" and press enter. If you see something similar to this figure:

--Image: Testing MSYS installation.  MSYS prompt window with GCC
version in reply to a gcc -v command. End image.--

then congratulations: GCC is working!

1.6) If you want to build a copy of GnuPG supporting other languages than English, you must download and install the additional MinGW packages "libiconv" and "gettext". Moreover, if you want to be able to perform the checks to test the newly built copy of GnuPG, you must download and install the additional package "msys-coreutils". To do so, you must write at MinGW prompt the command "mingw-get install libiconv gettext msys-coreutils" (you can limit the list to the sole packages you want to install) and press enter. The procedure should automatically download and install the required files.

2) Downloading and fixing GnuPG sources:

Before starting the compilation, a small fix to GnuPG sources is required if you want to perform the checks.

2.1) If you have not yet done so, download the GnuPG 1.4.13 source (of course from http://www.gnupg.org). In the MinGW folder, there is a subfolder named "msys", with another subfolder "1.0", with another subfolder "home", with another subfolder named after your user name. You have to unpack GnuPG sources inside this last folder, with all the directory structure of the compressed file. If everything is OK, you will have another subfolder named "gnupg-1.4.13" with all the sources inside.

2.2) If you want to be able to perform the checks, open the file "seat.test" in the "checks" subfolder and go to line 9.

--Image: File SEAT.TEST before the change.  End image.--

Change "$i y" into "z y" and add just before line 9 two new lines with the following commands: "cp $i z" and "unix2dos z". Save and close the file.

--Image: File SEAT.TEST after the change. End image.--

2.3) If you want, and ONLY if you know VERY WELL what you are doing, you can make a small change to the GnuPG source code to enable the creation of keys longer than 4096 bits. Such keys can be used by GnuPG, but their creation is disabled by default. Following NIST guidelines, a strength equivalent to a symmetric cipher with a 128 bit key (like AES-128) is provided by a RSA key with a length of 3072 bits. A strength equivalent to a symmetric cipher with a 256 bit key (like AES-256) is instead provided by a RSA key with a length of about 15000 bits. On this topic see also this page on Wikipedia. In other words, if one is using symmetric ciphers with 128 bit keys the limit of 4096 bits for the RSA keys is more than enough. However, if one is using symmetric ciphers with 256 bit keys it may be useful to create larger RSA keys. The modification to GnuPG sources is described on this page. To make it short, open the file "gpg.c" in the "g10" subfolder, go to line 1996 and change "32768" into "131072". Save and close the file. Then open the file "keygen.c", still in the "g10" subfolder, go to line 1575 and change "4096" into "65535". Save and close the file. Pay attention that for this change you are on your own, with all possible problems and incompatibilities. Pay also attention that, even if now GnuPG is able to create RSA keys with a length of 65535 bits, RSA keys larger than 16000-20000 bit are completely useless if used in combination with 256 bit symmetric ciphers (the maximum currently supported by GnuPG).

3) Building GnuPG:

3.1) Now insert the following commands at a newly started MinGW prompt:
a) cd gnupg-1.4.13
b) CFLAGS='-O2 -m32 -mtune=i386 -march=i386 -mfpmath=387 -mno-mmx -mno-sse -mno-3dnow -mno-sse2' LDFLAGS='-s -static' ./configure --with-included-zlib

--Image: GnuPG building process starting. MSYS prompt window with the
command line to start the configure script. End image.--

Other options can be added at the end of the "./configure" command line. E.g., it is possible to add "--enable-camellia" to enable the experimental support for the "Camellia" encryption algorithm. A list of all the possible options can be viewed with the command "./configure --help". With this procedure you will then obtain an executable which will be able to run on every i386 machine. If you want to enable special optimizations for your machine, you can change the parameters in the CFLAGS variable with the ones of your choice. E.g., for a Pentium 4 machine, you can specify:

CFLAGS='-O3 -m32 -march=pentium4 -mfpmath=sse'

or, for an Athlon-XP:

CFLAGS='-O3 -m32 -march=athlon-xp -mfpmath=sse'.

for recent Intel CPUs, a good choice may be one of the following:

CFLAGS='-O3 -m32 -march=pentium-m -mfpmath=sse'
CFLAGS='-O3 -m32 -march=core2 -mfpmath=sse'

for recent AMD CPUs, a good choice may be:

CFLAGS='-O3 -m32 -march=amdfam10 -mfpmath=sse'.

A compromise between old and new machines, probably, may be one of the following:

CFLAGS='-O3 -m32 -march=pentium2',
CFLAGS='-O3 -m32 -march=i686 -mmmx'.

More aggressive optimizations can be enabled by changing '-O3' into '-Ofast'. For a complete list of all the parameters you can specify to trigger special optimizations, you can look the GCC user manual. Now, you will see many messages while all the building parameters are set. At the end, you should see the message in the figure below. If you do not see it, then there was some problem and you should fix it before continuing.
c) make

--Image: GnuPG building process. The configure script ended with the
message that GnuPG is now configured to be built on MinGW32, just before
issuing make. End image.--

You will see again many messages during the build process. If everything goes right you will see something similar to the figure below, otherwise the build process will stop with an error.

--Image: GnuPG building process ending. The last part of make output is
shown.  End image.--

d) make check
This is not a mandatory step, but it is useful to check the everything went right and that the newly built GnuPG works perfectly.

--Image: Checking built GnuPG. It is shown make check output and
the final steps. End image.--

e) iconv -f LATIN1 -t cp850 po/it.po > po/it2.po && mv po/it2.po po/it.po && msgfmt -o po/it.gmo po/it.po
where "it" can be changed with the localization file of your choice (e.g., "fr" for French, "es" for Spanish, ecc.) and "cp850" must of course be changed with the actual codepage (some sort of "character table") used by your Windows version in the command prompt windows. The codepage 850 is the one, so called, of Western Europe, and it is used by Italian versions. To know the codepage used by your Windows version, open a command prompt window and use the command "chcp". If you are interested in more than a GnuPG localization, repeat this point "e" for all the localization files of your choice. If you have skipped libiconv and gettext installation at point 1.6, then you must skip also this point "e".

3.2) If everything went well without any errors, then you will find gpg.exe and gpgv.exe in the g10 subfolder, gpgkeys_hkp.exe, gpgkeys_ldap.exe, gpgkeys_finger.exe and gpgkeys_curl.exe in the keyserver subfolder and gpgsplit.exe in the tools subfolder. Now you can copy them in another folder (e.g. C:\GnuPG). If you performed the point "3.1e" above, copy there also the file libiconv-2.dll which can be found in C:\MinGW\bin changing its name in "iconv.dll". You can also copy the file "it.gmo" (or the one you created at point 3.1e above), which is in the "po" subfolder, in the folder of the GnuPG localization files (e.g. C:\GnuPG\gnupg.nls) renaming it as "it.mo". You can now follow the standard GnuPG installation procedure, described in the README-W32.txt file, creating the required registry keys.


--- Valid HTML 4.01! --- Valid CSS! --- Level Triple-A conformance icon, W3C-WAI Web Content Accessibility Guidelines 1.0 ---

--- Bobby WorldWide Approved AAA --- Cynthia Tested! --- Bobby WorldWide Approved 508 ---

--- Backward Compatible --- See your web site through colorblind eyes with the colorblind web page filter. --- Lynx Inspected ---

--- Created with VIM! --- Viewable With Any Browser --- Graphics by GIMP ---

--- Creative Commons License ---

--- OpenPGP Digitally Signed HTML ---