Sign minikube binaries for macOS

[tstromberg]

This would make it play better with Catalina.

There are some issues here in that the sig-release folks keep a tight reign on the Kubernetes certificate.

[priyawadhwa]

This issue is currently waiting on an official signing protocol from Kubernetes.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[tstromberg]

Related issues, all blocked on signing infra:

• Add Signing Process for Windows Installer #4841
• Make minikube (and kvm2) installable with "yum" #4716
• Add a new entry in travis.yml to build on Power #3310

[tstromberg]

#sig-release issue: kubernetes/release#839

[medyagh]

we still like to do this ! if anyone can help , help wanted !

[medyagh]

@prezha I wonder if u would like to take on this issue to start the conversation and add signing for minikube binaries?

[prezha]

@medyagh an interesting one - i accept the challenge!
i'd propose to start with signing the binaries for macos, then see for other platforms as well ({rpm, deb}, {exe}) as they all seem to need different handling

[afbjorklund]

I think we have already given up on the deb and rpm, the current apt and yum repositories are deprecated and the new ones are not taking new projects (SIGs)

So signing for Windows Store has higher priority

Arguably re-adding the snap to Ubuntu after that...

[prezha]

re: releases - repos, package managers & signing (#5792, #3110, #4716, kubernetes/release#839, etc.) - a brief update on this:

• apple: contacted, responded positive - willing to support, promised a senior manager will contact me back, didn't happen as of yet (will retry)
• microsoft: needs a "full" ev code signing certificate, no free options out there, look for a sponsor? (ref: https://comodosslstore.com/resources/free-code-signing-certificate/)
• linux: minikube's minikube apt & yum repos are available (for testing!) with the latest v1.24.0! instructions:
  • apt [arch: amd64, arm64, armhf, ppc64el, s390x]:
    • curl -fsSL https://keys.openpgp.org/vks/v1/by-fingerprint/61BCC110C8DFD072E2326DC92591E036E40127C3 | sudo gpg --dearmor -o /usr/share/keyrings/minikube-archive-keyring.gpg
    • echo "deb [arch=amd64 signed-by=/usr/share/keyrings/minikube-archive-keyring.gpg] https://minikube.triplepoint.tech/apt stable main" | sudo tee /etc/apt/sources.list.d/minikube.list
    • sudo apt clean && sudo apt update
    • sudo apt show minikube -a

Package: minikube
Version: 1.24.0-0
Priority: optional
Section: base
Maintainer: Thomas Strömberg <t+minikube@stromberg.org>
Installed-Size: unknown
Recommends: virtualbox
Download-Size: 23.5 MB
APT-Manual-Installed: yes
APT-Sources: https://minikube.triplepoint.tech/apt stable/main amd64 Packages
Description: Minikube
 minikube is a tool that makes it easy to run Kubernetes locally.
 minikube runs a single-node Kubernetes cluster inside a VM on your
 laptop for users looking to try out Kubernetes or develop with it
 day-to-day.

• yum [x86_64, aarch64, armv7hl, ppc64le, s390x]:
  • rpm --import https://keys.openpgp.org/vks/v1/by-fingerprint/61BCC110C8DFD072E2326DC92591E036E40127C3
  • zypper addrepo --gpgcheck --refresh https://minikube.triplepoint.tech/yum minikube && zypper refresh && zypper info minikube

Information for package minikube:
---------------------------------
Repository     : minikube
Name           : minikube
Version        : 1.24.0-0
Arch           : x86_64
Vendor         : 
Installed Size : 54.1 MiB
Installed      : No
Status         : not installed
Source package : minikube-1.24.0-0.src
Summary        : Run Kubernetes locally
Description    : 
    Minikube is a tool that makes it easy to run Kubernetes locally.
    Minikube runs a single-node Kubernetes cluster inside a VM on your
    laptop for users looking to try out Kubernetes or develop with it
    day-to-day.

• or, eg:

echo "[minikube]
name=minikube
baseurl=https://minikube.triplepoint.tech/yum
enabled=1
gpgcheck=1
gpgkey=https://keys.openpgp.org/vks/v1/by-fingerprint/61BCC110C8DFD072E2326DC92591E036E40127C3" > /etc/yum.repos.d/minikube.repo

• yum clean all && yum makecache && yum info minikube ...

i've tested it with opensuse tumbleweed, debian 11, centos 8, and it would be great if others would also be interested in testing these repos with their favourite apt/yum package manager and report back if it's working for them or not (something like "full os: result" [w/ error details if any] would be ok)
please note that i only tried to give guidance/examples of how to configure repos above, but your mileage may vary and should be adapted for your specific case
in case of any errors with the binaries themselves - please try with the github versions before reporting any issue

if it works (for most, at least) and would be useful, we might promote it to "production" and publish the gpg key (https://keys.openpgp.org/vks/v1/by-fingerprint/61BCC110C8DFD072E2326DC92591E036E40127C3) on our website as well

thanks!

minikube.public.txt

[medyagh]

@prezha is there anything new on this?

[prezha]

@medyagh sorry for my late reply on this topic

i've explored it a bit more and the findings are collated in a doc open for comments:
https://docs.google.com/document/d/1mAGEaz_jSJkD5mesALPXi0SgEUEi2H1tuu7hbmXMIUw/edit?usp=sharing

TL;DR: signing minikube binaries for macOS and Windows requires funding ($99/year and a wide range of ~$80-$700+/year respectively), and for Linux distros, we currently have an operational YUM and APT repos.

we can discuss options at our next office hours meeting

[septatrix]

TL;DR: [...] and for Linux distros, we currently have an operational YUM and APT repos.

Under what URL could I find those? The ones I found are unsigned

[prezha]

hey @septatrix, there wasn't a big interest in these linux repos, so they haven't been kept up to date, and also the cert expired in the meantime

i've now refreshed the cert and added & signed all the release (ie, without beta and alpha) versions from minikube v1.24.0 - v1.26.1 (current atm), so you can try

please follow the steps above for your linux distro/package manager and share if it's working for you now

this is what apt reports now:

# apt show minikube -a
Package: minikube
Version: 1.26.1-0
Priority: optional
Section: base
Maintainer: Thomas Strömberg <t+minikube@stromberg.org>
Installed-Size: unknown
Recommends: virtualbox
Download-Size: 26.8 MB
APT-Sources: https://minikube.triplepoint.tech/apt stable/main amd64 Packages
Description: Minikube
 minikube is a tool that makes it easy to run Kubernetes locally.
 minikube runs a single-node Kubernetes cluster inside a VM on your
 laptop for users looking to try out Kubernetes or develop with it
 day-to-day.

Package: minikube
Version: 1.26.0-0
Priority: optional
Section: base
Maintainer: Thomas Strömberg <t+minikube@stromberg.org>
Installed-Size: unknown
Recommends: virtualbox
Download-Size: 26.6 MB
APT-Sources: https://minikube.triplepoint.tech/apt stable/main amd64 Packages
Description: Minikube
 minikube is a tool that makes it easy to run Kubernetes locally.
 minikube runs a single-node Kubernetes cluster inside a VM on your
 laptop for users looking to try out Kubernetes or develop with it
 day-to-day.

Package: minikube
Version: 1.25.2-0
Priority: optional
Section: base
Maintainer: Thomas Strömberg <t+minikube@stromberg.org>
Installed-Size: unknown
Recommends: virtualbox
Download-Size: 24.4 MB
APT-Sources: https://minikube.triplepoint.tech/apt stable/main amd64 Packages
Description: Minikube
 minikube is a tool that makes it easy to run Kubernetes locally.
 minikube runs a single-node Kubernetes cluster inside a VM on your
 laptop for users looking to try out Kubernetes or develop with it
 day-to-day.

Package: minikube
Version: 1.25.1-0
Priority: optional
Section: base
Maintainer: Thomas Strömberg <t+minikube@stromberg.org>
Installed-Size: unknown
Recommends: virtualbox
Download-Size: 23.8 MB
APT-Sources: https://minikube.triplepoint.tech/apt stable/main amd64 Packages
Description: Minikube
 minikube is a tool that makes it easy to run Kubernetes locally.
 minikube runs a single-node Kubernetes cluster inside a VM on your
 laptop for users looking to try out Kubernetes or develop with it
 day-to-day.

Package: minikube
Version: 1.25.0-0
Priority: optional
Section: base
Maintainer: Thomas Strömberg <t+minikube@stromberg.org>
Installed-Size: unknown
Recommends: virtualbox
Download-Size: 23.8 MB
APT-Sources: https://minikube.triplepoint.tech/apt stable/main amd64 Packages
Description: Minikube
 minikube is a tool that makes it easy to run Kubernetes locally.
 minikube runs a single-node Kubernetes cluster inside a VM on your
 laptop for users looking to try out Kubernetes or develop with it
 day-to-day.

Package: minikube
Version: 1.24.0-0
Priority: optional
Section: base
Maintainer: Thomas Strömberg <t+minikube@stromberg.org>
Installed-Size: unknown
Recommends: virtualbox
Download-Size: 23.5 MB
APT-Sources: https://minikube.triplepoint.tech/apt stable/main amd64 Packages
Description: Minikube
 minikube is a tool that makes it easy to run Kubernetes locally.
 minikube runs a single-node Kubernetes cluster inside a VM on your
 laptop for users looking to try out Kubernetes or develop with it
 day-to-day.