This is a guide for Scala and Java development on Windows, using Windows Subsystem for Linux, although a bunch of it is applicable to a VirtualBox / Vagrant / Docker subsystem environment. This is not complete, but is intended to be as step by step as possible.
Read the entire Decent Security guide, and follow the instructions, especially:
- Set UAC to full
- Enable Drive Encryption
- Disable webcam and microphone devices
- Install GlassWire Firewall
Be aware that according to Cloudstrike, WSL does expose you to any Ubuntu 14.04 vulnerabilities -- video about 30 minutes in:
Initially known as "Project Astoria" and delivered in beta builds of Windows 10 Threshold 2 for Mobile, Microsoft implemented a full blown Linux 3.4 kernel in the core of the Windows operating system, including full support for VFS, BSD Sockets, ptrace, and a bonafide ELF loader. After a short cancellation, it's back and improved in Windows 10 Anniversary Update ("Redstone"), under the guise of Bash Shell interoperability. This new kernel and related components can run 100% native, unmodified Linux binaries, meaning that NT can now execute Linux system calls, schedule thread groups, fork processes, and access the VDSO!
As it's implemented using a full-blown, built-in, loaded-by-default, Ring 0 driver with kernel privileges, this not a mere wrapper library or user-mode system call converter like the POSIX subsystem of yore. The very thought of an alternate virtual file system layer, networking stack, memory and process management logic, and complicated ELF parser and loader in the kernel should tantalize exploit writers - why choose from the attack surface of a single kernel, when there's now two?
But it's not just about the attack surface - what effects does this have on security software? Do these frankenLinux processes show up in Procmon or other security drivers? Do they have PEBs and TEBs? Is there even an EPROCESS? And can a Windows machine, and the kernel, now be attacked by Linux/Android malware? How are Linux system calls implemented and intercepted?
Install Pengwin from the Microsoft Store. Pay the money: it's less than what you'd pay for a decent lunch. It's worth it to have all the WSL hacks done for you, and have someone else keep it up to date.
Once you've installed it in Windows, open up a Pengwin console by hitting the Windows key and searching for "Pengwin", and then type pengwin-setup at the console.
Install what you like, but do not install Java from Pengwin directly, as we'll be doing that through SDKMAN.
Install ConEmu. It is a much better console emulator for using WSL.
Go to Settings, then "Startup" / "Specified named task" and click {Bash::bash}, and then "Save settings". If you don't see "bash" then look at the WSL page that Conemu has.
Set the console height to 9999.
Open up Windows Powershell to install the Powerline fonts on Windows (see below for Git details):
git clone https://github.com/powerline/fonts
cd fonts
powershell -noexit -executionpolicy bypass -File .\install.ps1
Then set the main console font to "Meslo LG M for Powerline".
Pengwin takes care of a lot of this for you with pengwin-setup, but not all of it.
Pengwin will set up zsh for you, but it's the default robbyrussell theme, which is so declassé. Use agnoster theme by adding the following to $HOME/.zshrc:
ZSH_THEME="agnoster" # this already exists in .zshrc
...
# User configuration
export DEFAULT_USER="wsargent"
Download and install the powerline fonts in WSL:
git clone https://github.com/powerline/fonts
cd fonts
./install.sh
If you are installing Visual Studio Code and using the terminal, then you want to change the terminal.integrated.fontFamily:
"terminal.integrated.fontFamily": "Meslo LG M DZ for Powerline"
If you are install IntelliJ IDEA and are using the console, then you want to go to "Editor / Color Scheme / Console Font", and change that to override the default font.
sudo apt-get install gnupg2
Please see the drduh guide for setting up GPG keys and using a secure configuration.
Install the JDK, sbt and so on with sdkman.
curl -s "https://get.sdkman.io" | bash
i.e. to install Gradle:
source "/home/wsargent/.sdkman/bin/sdkman-init.sh"
sdk install gradle
Then to install Java:
sdk list java
sdk install java 8.0.212.hs-adpt
Then, attach the source code for the JDK -- this will let you walk through the internal code, especially needed for debugging JCA issues.
git clone --depth 1 https://github.com/AdoptOpenJDK/openjdk-jdk8u
And then attach openjdk-jdk8u/jdk/src/share/classes to your IDE.
You don't have to use SDKMAN. If you do use update-java-alternatives, use this gist to set up the OpenJDK you just loaded with Ubuntu.
Install SBT using sdkman. Add the following to $HOME/.zshenv:
export JAVA_OPTS="-Xmx2G -Xss2M -XX:MaxMetaspaceSize=512M -XX:ReservedCodeCacheSize=192M -Dfile.encoding=UTF-8"
This sucked when I first tried it, but it is WAY, WAY better now. The only thing that is still confusing is having the copy paste be different between Windows and X11 -- select copies in X11, so it will wipe out what you had in the clipboard.
IntelliJ IDEA and Visual Studio Code are accessible through X11, and Pengwin will let you install VS Code through pengwin-setup.
Install X410 on Windows 10 from the Microsoft Store. Pay the money, it's worth it. Start it up and make sure it's working. In particular, make sure that Pengwin has the "Settings" and the "Windows 10" theme turned on.
Edit your startup (.zshrc | .bashrc) file and append the following:
export DISPLAY="localhost:0"
Then, once you've got the DISPLAY environment variable on your system:
code .
and you should see it appear on your Windows machine. See HiDPI section if it shows up really small.
This is still a bit awkward.
From X410 will do HiDPI, for Qt 5.6 or higher:
export QT_SCALE_FACTOR=2
and for GDK 3 (GTK+ 3):
export GDK_SCALE=2
If the above don't seem to work, there are manual options for IntelliJ IDEA and VS Code.
IntelliJ IDEA: Up the font size using the techniques described in their support page.
VS Code: Use Ctrl-Plus to increase the size of everything.
Pengwin includes wslutilities, which contains the following utilities:
- wslusc: A WSL shortcut creator to create a shortcut on your Windows 10 Desktop.
- wslsys: A WSL system information printer to print out system informations from Windows 10 or Linux.
- wslfetch: A WSL Screenshoot Information Tool to print information in an elegant way.
- wslvar: A WSL tool to help you get Windows system environment variables.
- wslview: A fake WSL browser that can help you open link in default Windows browser.
- wslupath: Deprecated A WSL tool to convert path styles.
There's no online documentation in the README and the man pages are gzipped on Github, so the best way to figure out what's going on is by looking at the source code, i.e. https://github.com/wslutilities/wslu/blob/master/src/wslusc.sh#L14 for wslusc.
You can use wslusc to create a shortcut to the X11 application. It shows with an empty command prompt and there's no shortcut icon, but it does work. I usually edit the shortcut to add DISPLAY=:0 in front of the command, just in case it doesn't catch somehow.
Pengwin takes care of this.
If you want to edit the Linux subsystem without having to go through the console, then you can mount it through Windows.
Install Win-sshfs 1.5.12.8 and Dokan 0.7.4.
Then mount the drive using your SSH settings. You'll see another drive show up, and you can edit files from there.
Set up Github and Git from inside WSL, and use IntelliJ and VS Code to access it. A Linux GUI will work as well.
SSH support is through WSL only, so it works the same way.
After that, you should be able to clone using ssh transport:
mkdir playframework
cd playframework
git clone [email protected]:wsargent/playframework.git master
and also push to your github remote origin:
git push origin my-bug-fix-branch
and pull:
git pull --rebase
I use a Yubikey 4 to do my git commit signing. This means I need a gpg-agent and pinentry for Windows. USB / Smartcard devices like Yubikey are not accessible to WSL at all, so it must be on the Windows Git side.
Install GPG4Win.
Import your public key, i.e. https://keybase.io/will_sargent/key.asc into GPG4Win. Get Kleopatra up and running.
Then, following the drduh guide, install weasel-pageant: add the following into $HOME/.zshrc:
# https://github.com/vuori/weasel-pageant#note-regarding-the--a-flag
eval $(/mnt/c/Users/wsargent/weasel-pageant/weasel-pageant -rb -a $HOME/.weasel-pageant.sock)
Once you've got a connection between weasel-pageant and the Yubikey, everything should work according to drduh's Yubikey guide.
For my purposes, I just point github so $HOME/.ssh/config uses the forwarding agent:
Host github.com
User git
ForwardAgent yes
then trust it:
gpg --edit-key 2BC6C4B7
~ gpg --edit-key 2BC6C4B7
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 2048R/2BC6C4B7 created: 2014-02-16 expires: 2018-02-16 usage: SC
trust: unknown validity: unknown
sub 2048R/26FC797F created: 2014-02-16 expires: 2018-02-16 usage: E
sub 4096R/D65E090B created: 2016-09-12 expires: 2017-09-12 usage: A
sub 4096R/267A1666 created: 2016-09-12 expires: 2017-09-12 usage: S
[ unknown] (1). William Sargent <[email protected]>
[ unknown] (2) William Sargent (Lightbend) <[email protected]>
[ unknown] (3) William Sargent (https://keybase.io/will_sargent) <[email protected]>
gpg> trust
pub 2048R/2BC6C4B7 created: 2014-02-16 expires: 2018-02-16 usage: SC
trust: unknown validity: unknown
sub 2048R/26FC797F created: 2014-02-16 expires: 2018-02-16 usage: E
sub 4096R/D65E090B created: 2016-09-12 expires: 2017-09-12 usage: A
sub 4096R/267A1666 created: 2016-09-12 expires: 2017-09-12 usage: S
[ unknown] (1). William Sargent <[email protected]>
[ unknown] (2) William Sargent (Lightbend) <[email protected]>
[ unknown] (3) William Sargent (https://keybase.io/will_sargent) <[email protected]>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 2048R/2BC6C4B7 created: 2014-02-16 expires: 2018-02-16 usage: SC
trust: ultimate validity: unknown
sub 2048R/26FC797F created: 2014-02-16 expires: 2018-02-16 usage: E
sub 4096R/D65E090B created: 2016-09-12 expires: 2017-09-12 usage: A
sub 4096R/267A1666 created: 2016-09-12 expires: 2017-09-12 usage: S
[ unknown] (1). William Sargent <[email protected]>
[ unknown] (2) William Sargent (Lightbend) <[email protected]>
[ unknown] (3) William Sargent (https://keybase.io/will_sargent) <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
gpg> save
And then, when you want to use GPG signing with github, then the Windows pinentry from Kleopatra will come up, and you type the Yubikey PIN to sign with your private key.
For the
GPG Supportsection, I am able to use my yubikey with GIT via PLINK:GIT_SSH=C:\ProgramData\chocolatey\bin\PLINK.EXEPutty apparently only supports rsa keys, but since that's all the yubikey can do, seems like a good fit!