Add Signing Process for Windows Installer

[blueelvis]

As of now, whenever the minikube installer is run, the following screen comes up which makes it look as if the executable is malicious to a user -

This also revolves around having infrastructure/process to sign the executables/installers so that they can be verified.

Not sure if we need to have for other operating systems as well.

-Pranav

[afbjorklund]

Not sure if we need to have for other operating systems as well.

We do, as there are similar boxes coming up for the .deb and .rpm

3110 deb/apt

4716 rpm/yum

We could also sign the regular checksums, just plain old ascii/sigs ?

gpg --verify minikube-linux-amd64.sha256.sig

openssl sha256 minikube-linux-amd64 | awk '{print $2}'

[blueelvis]

Self signed cert can add the details so that the Publisher is displayed but it still will pop up this screen as the certificate won't be into the trusted root of the operating system. We need to get a known and valid certificate from a CA which is known.

Not sure what the process is to get a certificate from a CA over here.

[tstromberg]

@blueelvis - Not sure. Try asking #sig-release on Slack.

[priyawadhwa]

Related to #5792 -- we're waiting on an official signing protocol from sig-release.

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[blueelvis]

/remove-lifecycle stale

[sharifelgamal]

Yeah, we want to still do this.

[sftim]

/sig security

[MiCurry]

Still occurring as of this issue. I'm also not seeing any signatures on the executable.

If it is any help, I can offer some avenues for resolving this issue. I recently did a deep dive on Window's Defender SmartScreen and Certificates.