Skip to content

Fix hyperkit driver build with Go 1.25 by setting minimum macOS SDK version #21941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix hyperkit driver build with Go 1.25 by setting minimum macOS SDK version #21941

wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Nov 20, 2025
edited
Loading

Go 1.25 introduced SecTrustCopyCertificateChain in crypto/x509/internal/macos, which requires macOS 10.15+. The xcgo cross-compilation image uses an older SDK lacking this symbol, causing:

Undefined symbols for architecture x86_64:
  "_SecTrustCopyCertificateChain", referenced from:
      _crypto/x509/internal/macos.x509_SecTrustCopyCertificateChain_trampoline.abi0 in go.o

Set CGO_LDFLAGS="-mmacosx-version-min=10.15" in the hyperkit driver build to target macOS 10.15 SDK, ensuring the linker only uses compatible symbols.

Changes:

  • Modified out/docker-machine-driver-hyperkit Makefile target to set CGO_LDFLAGS for both Docker and local builds
Original prompt

This section details on the original issue you should resolve

<issue_title>bumping golang version to v1.25.0 breaks hyperkit driver build with xcgo</issue_title>
<issue_description>when I tried to bump the go version from 1.24 to 1.25 minikube's go mod (this PR #21934)

the hyperkit driver build. failed (which uses a docker image xcgo)

here is the failed build. log


/go/pkg/mod/golang.org/[email protected]/pkg/tool/linux_amd64/link: running o64-clang failed: exit status 1

/osxcross/target/bin/o64-clang -arch x86_64 -m64 -Wl,-headerpad,1144 -o $WORK/b001/exe/a.out -Qunused-arguments /tmp/go-link-242712742/go.o /tmp/go-link-242712742/000000.o /tmp/go-link-242712742/000001.o /tmp/go-link-242712742/000002.o /tmp/go-link-242712742/000003.o /tmp/go-link-242712742/000004.o /tmp/go-link-242712742/000005.o /tmp/go-link-242712742/000006.o /tmp/go-link-242712742/000007.o /tmp/go-link-242712742/000008.o /tmp/go-link-242712742/000009.o /tmp/go-link-242712742/000010.o /tmp/go-link-242712742/000011.o -lresolv -O2 -g -framework vmnet -O2 -g -lpthread -framework CoreFoundation -framework Security

Undefined symbols for architecture x86_64:

  "_SecTrustCopyCertificateChain", referenced from:

      _crypto/x509/internal/macos.x509_SecTrustCopyCertificateChain_trampoline.abi0 in go.o

ld: symbol(s) not found for architecture x86_64

clang: error: linker command failed with exit code 1 (use -v to see invocation)



make: *** [Makefile:661: out/docker-machine-driver-hyperkit] Error 1

make: *** [Makefile:655: out/docker-machine-driver-hyperkit] Error 2

why hyperkit driver build is failing only on go 1.25.0?

Works for go mod 1.24 (on master branch)


$ MINIKUBE_BUILD_IN_DOCKER=y make drivers

docker run --rm -e GOCACHE=/app/.cache -e IN_DOCKER=1 \

--user 531729:89939 -w /app \

-v /usr/local/google/home/medya/workspace/minikube:/app:Z -v /usr/local/google/home/medya/go:/go:Z --init --entrypoint "" \

quay.io/nirsof/xcgo:jammy-v2 /bin/bash -c 'CC=o64-clang CXX=o64-clang++ /usr/bin/make out/docker-machine-driver-hyperkit'

Unable to find image 'quay.io/nirsof/xcgo:jammy-v2' locally

jammy-v2: Pulling from nirsof/xcgo

Digest: sha256:a0655d9b3aea65de70e5391abe468634da3c7d32a234902661eff6fce7bbd669

Status: Downloaded newer image for quay.io/nirsof/xcgo:jammy-v2

GOOS=darwin CGO_ENABLED=1 go build \

-ldflags="-X k8s.io/minikube/pkg/drivers/hyperkit.version=v1.37.0 -X k8s.io/minikube/pkg/drivers/hyperkit.gitCommitID="bac7021992e8850fa62e5b8cf1e457e301853aed""   \

-o out/docker-machine-driver-hyperkit k8s.io/minikube/cmd/drivers/hyperkit

Fails for go mod to 1.25

$ gh pr checkout 21934

remote: Enumerating objects: 99, done.

remote: Counting objects: 100% (96/96), done.

remote: Compressing objects: 100% (4/4), done.

remote: Total 99 (delta 92), reused 92 (delta 92), pack-reused 3 (from 2)

Unpacking objects: 100% (99/99), 17.34 KiB | 403.00 KiB/s, done.

From https://github.com/kubernetes/minikube

 * [new ref]             refs/pull/21934/head -> bump_golang_manually

Switched to branch 'bump_golang_manually'

11:46:26 medya/workspace/minikube

bump_golang_manually ✓

$ MINIKUBE_BUILD_IN_DOCKER=y make drivers

go: downloading go1.25.3 (linux/amd64)

make: Nothing to be done for 'drivers'.

11:46:49 medya/workspace/minikube

bump_golang_manually ✓

$ make clean

rm -rf /usr/local/google/home/medya/workspace/minikube/out

rm -f pkg/minikube/assets/assets.go

rm -f pkg/minikube/translate/translations.go

rm -rf ./vendor

rm -rf /tmp/tmp.*.minikube_*

rm -rf test/integration/licenses

11:46:58 medya/workspace/minikube

bump_golang_manually ✓

$ MINIKUBE_BUILD_IN_DOCKER=y make drivers

docker run --rm -e GOCACHE=/app/.cache -e IN_DOCKER=1 \

--user 531729:89939 -w /app \

-v /usr/local/google/home/medya/workspace/minikube:/app:Z -v /usr/local/google/home/medya/go:/go:Z --init --entrypoint "" \

quay.io/nirsof/xcgo:jammy-v2 /bin/bash -c 'CC=o64-clang CXX=o64-clang++ /usr/bin/make out/docker-machine-driver-hyperkit'

go: downloading go1.25.0 (linux/amd64)

GOOS=darwin CGO_ENABLED=1 go build \

-ldflags="-X k8s.io/minikube/pkg/drivers/hyperkit.version=v1.37.0 -X k8s.io/minikube/pkg/drivers/hyperkit.gitCommitID="060ece2009c3489c8c538bb03208cdca89ee8b50""   \

-o out/docker-machine-driver-hyperkit k8s.io/minikube/cmd/drivers/hyperkit

# k8s.io/minikube/cmd/drivers/hyperkit

/go/pkg/mod/golang.org/[email protected]/pkg/tool/linux_amd64/link: running o64-clang failed: exit status 1

/osxcross/target/bin/o64-clang -arch x86_64 -m64 -Wl,-headerpad,1144 -o $WORK/b001/exe/a.out -Qunused-arguments /tmp/go-link-242712742/go.o /tmp/go-link-242712742/000000.o /tmp/go-link-242712742/000001.o /tmp/go-link-242712742/000002.o /tmp/go-link-242712742/000003.o /tmp/go-link-242712742/000004.o /tmp/go-link-242712742/000005.o /tmp/go-link-242712742/000006.o /tmp/go-link-242712742/000007.o /tmp/go-link-242712742/000008.o /tm...

</details>

- Fixes kubernetes/minikube#21940

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 20, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 20, 2025

Hi @Copilot. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 20, 2025
@minikube-bot
Copy link
Collaborator

minikube-bot commented Nov 20, 2025

Can one of the admins verify this patch?

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 20, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Copilot
Once this PR has been reviewed and has the lgtm label, please ask for approval from medyagh. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copilot AI changed the title [WIP] Fix hyperkit driver build issue with golang v1.25.0 Fix hyperkit driver build with Go 1.25 by setting minimum macOS SDK version Nov 20, 2025
Copilot AI requested a review from medyagh November 20, 2025 20:06
Copilot finished work on behalf of medyagh November 20, 2025 20:06
@medyagh medyagh closed this Nov 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@medyagh medyagh Awaiting requested review from medyagh

Assignees

@medyagh medyagh

Copilot code review Copilot

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@k8s-ci-robot @minikube-bot @medyagh