# MinKMS RELEASE.2026-06-03T18-18-01Z

Released: 2026-06-03

This release fixes a key-listing incompatibility with Entrust KeyControl HSMs that prevented MinKMS from locating its unseal key on certain KeyControl versions. It also refreshes mTLS, KMS client, and cryptographic dependencies and updates the Go runtime. Operators running MinKMS against Entrust KeyControl are encouraged to upgrade.

---

## Downloads

### Binary Downloads

| Platform | Architecture | Download                                                                                           |
| -------- | ------------ | -------------------------------------------------------------------------------------------------- |
| Linux    | amd64        | [minkms.RELEASE.2026-06-03T18-18-01Z](https://dl.min.io/aistor/minkms/release/linux-amd64/archive/minkms.RELEASE.2026-06-03T18-18-01Z)           |
| Linux    | arm64        | [minkms.RELEASE.2026-06-03T18-18-01Z](https://dl.min.io/aistor/minkms/release/linux-arm64/archive/minkms.RELEASE.2026-06-03T18-18-01Z)           |
| macOS    | amd64        | [minkms.RELEASE.2026-06-03T18-18-01Z](https://dl.min.io/aistor/minkms/release/darwin-amd64/archive/minkms.RELEASE.2026-06-03T18-18-01Z)          |
| macOS    | arm64        | [minkms.RELEASE.2026-06-03T18-18-01Z](https://dl.min.io/aistor/minkms/release/darwin-arm64/archive/minkms.RELEASE.2026-06-03T18-18-01Z)          |
| Windows  | amd64        | [minkms.exe.RELEASE.2026-06-03T18-18-01Z](https://dl.min.io/aistor/minkms/release/windows-amd64/archive/minkms.exe.RELEASE.2026-06-03T18-18-01Z) |

### FIPS Binaries

| Platform | Architecture | Download                                                                                           |
| -------- | ------------ | -------------------------------------------------------------------------------------------------- |
| Linux    | amd64        | [minkms.RELEASE.2026-06-03T18-18-01Z.fips](https://dl.min.io/aistor/minkms/release/linux-amd64/archive/minkms.RELEASE.2026-06-03T18-18-01Z.fips) |

Each binary also has `.sha256sum`, `.minisig`, and `.asc` signature files available at the same path.

### Container Images

```bash
# Standard
docker pull quay.io/minio/aistor/minkms:RELEASE.2026-06-03T18-18-01Z
podman pull quay.io/minio/aistor/minkms:RELEASE.2026-06-03T18-18-01Z

# FIPS
docker pull quay.io/minio/aistor/minkms:RELEASE.2026-06-03T18-18-01Z.fips
podman pull quay.io/minio/aistor/minkms:RELEASE.2026-06-03T18-18-01Z.fips
```

---

## Bug Fixes

### HSM

- **Fixed key listing with Entrust KeyControl** (#221) — Different KeyControl versions return the key list under different JSON fields (`items` vs. `keys`) and are sensitive to a trailing slash on the listing endpoint. MinKMS now accepts both response shapes and normalizes the request path, so it can reliably locate its key across KeyControl versions. Operators using Entrust KeyControl who previously saw "no key ID for key name found" errors should upgrade.

---

## Improvements

- **Updated mTLS and KMS client libraries** (#220) — Upgraded `aead.dev/mtls` to v0.4.0 and `minio/kms-go` to v0.7.0. API key and identity generation now use a single unified key type, simplifying key handling across standard and FIPS builds.
- **Refreshed cryptographic dependencies** (#220) — Updated `golang.org/x/crypto` and `golang.org/x/sys` to their latest releases.
- **Updated Go runtime to 1.26.4** (1a25f4f) — MinKMS now builds against Go 1.26.4, picking up the latest upstream runtime and standard-library fixes.

---

## Security & Compliance

### Software Bill of Materials (SBOM)

This release includes comprehensive SBOM documentation in multiple formats:

- [SPDX JSON](sbom-RELEASE.2026-06-03T18-18-01Z.spdx.json) - Standard SBOM format
- [CycloneDX JSON](sbom-RELEASE.2026-06-03T18-18-01Z.cyclonedx.json) - Security scanner compatible
- [Go Modules](go-modules-RELEASE.2026-06-03T18-18-01Z.txt) - Human-readable dependency list

SBOM files document all direct and transitive dependencies for security auditing and compliance requirements.

---

## Upgrade Instructions

MinKMS supports rolling upgrades. Upgrade one node at a time, starting with followers:

1. Stop the follower node
2. Replace the `minkms` binary
3. Start the node and wait for it to rejoin the cluster
4. Repeat for remaining followers
5. Upgrade the leader node last

**Important**: Write operations require all nodes to be available. Plan a brief maintenance window for the leader upgrade.

### Support

For enterprise support:

- SUBNET Support: https://subnet.min.io
- Documentation: https://docs.min.io