flow · Jun 17, 2021 · Jun 21, 2021 · Jun 23, 2021
Showing with 85 additions and 8 deletions.

+1 −0 .gitignore

+6 −0 .jfconfig

+45 −2 Makefile

+4 −4 SHASUM256.txt

+11 −0 SHASUM256.txt.sign

+4 −2 package.json

+14 −0 signing.pem
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 node_modules
 /flow-*-v*/
 *.swp
+/signing.key
diff --git a/.jfconfig b/.jfconfig
@@ -0,0 +1,6 @@
+{
+  "project_id": "flow-bin",
+  "capabilities": [
+    "submit",
+  ],
+}
diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ all: clean build test
 .PHONY: clean
 clean:
 	rm -f .npmrc
-	rm -rf flow-*-v* SHASUM256.txt
+	rm -rf flow-*-v* SHASUM256.txt SHASUM256.txt.sign signing.key signing.pem
 
 .PHONY: bump
 bump:
@@ -28,12 +28,16 @@ test: $(FLOW_BINS)
 build: clean bump SHASUM256.txt
 
 .PHONY: push
-push: build test
+push: build test SHASUM256.txt.sign signing.pem
 	git diff --quiet && git diff --staged --quiet || git commit -am "v$(FLOW_VERSION)"
 	git tag -l "v$(FLOW_VERSION)" || git tag -a "v$(FLOW_VERSION)" -m "v$(FLOW_VERSION)"
 	git push
 	git push --tags
 
+.PHONY: pack
+pack: build SHASUM256.txt.sign
+	npm pack
+
 .PHONY: publish
 publish:
 ifneq ("$(NPM_TOKEN)", "")
@@ -64,3 +68,42 @@ flow-osx-v%/flow:
 
 flow-win64-v%/flow.exe:
 	$(get-flow)
+
+
+#################################
+# Code signing
+#
+# The binaries' hashes are stored in SHASUM256.txt. To ensure integrity of
+# SHASUM256.txt, we also provide SHASUM256.txt.sign, which is signed with our
+# (self-signed) SSL certificate, signing.pem.
+#
+# The base64 encoding of the private key must be passed as an environment
+# variable named "FLOW_BIN_PRIVATE_KEY_BASE64".
+#
+#################################
+
+# base64 decodes the private key and writes it into a file named signing.key
+signing.key:
+ifeq ("$(FLOW_BIN_PRIVATE_KEY_BASE64)", "")
+	@echo "FLOW_BIN_PRIVATE_KEY_BASE64 variable not set."
+	exit 1
+else
+	@echo '$(FLOW_BIN_PRIVATE_KEY_BASE64)' | base64 -d > $@
+endif
+
+# generates the public key from signing.key
+#
+# this cert also needs to be included in flow-for-vscode or anywhere else that
+# wants to verify our release binaries offline.
+signing.pem: signing.key
+	openssl rsa -in "$<" -pubout -out "$@"
+
+%.sign: % signing.key 
+	openssl dgst -sign signing.key -sha256 -out "$@.bin" -binary "$<"
+	openssl base64 -in "$@.bin" -out "$@"
+	rm -f "$@.bin"
+
+verify: SHASUM256.txt signing.pem SHASUM256.txt.sign
+	openssl base64 -d -in SHASUM256.txt.sign -out SHASUM256.txt.sign.bin
+	openssl dgst -verify signing.pem -sha256 -signature SHASUM256.txt.sign.bin SHASUM256.txt
+	rm -f "SHASUM256.txt.sign.bin"
diff --git a/SHASUM256.txt b/SHASUM256.txt
@@ -1,4 +1,4 @@
-5ab5aee8ac6978e8c39c2ad54618ac475eb90a685344e508bd2076cae388b724  flow-linux64-v0.153.0/flow
-b30eb4e564e9d91c8555fbb6405aee92235472f966e922f87917fba98a50e14d  flow-linux-arm64-v0.153.0/flow
-34d9bf20f27f9728506abdf41f9888ef0849f944173795cefe678914eeb88abc  flow-osx-v0.153.0/flow
-cbdb3347bf2b45cae48adaca240fcd94b8e4f30c124828a89333ac2cc1812a4d  flow-win64-v0.153.0/flow.exe
+211e3f82b7b249262b96f3b24cd71ad6e77b3b55e6aaf7a0b9a61a6269cef36f  flow-linux64-v0.154.0/flow
+ebaa070d0c89933b156b96a71b3894163c73acd4a0eea6d38024ecd467bede95  flow-linux-arm64-v0.154.0/flow
+7875274a5d6865b048d4b9a24ad2d3ae0def0a9c3e87bf84b453c0e1d752707e  flow-osx-v0.154.0/flow
+b617f40b3335dc9b0c18ae9b7fe3004f85b5e5acae1679b28c6ad10e98a69ef2  flow-win64-v0.154.0/flow.exe
diff --git a/SHASUM256.txt.sign b/SHASUM256.txt.sign
@@ -0,0 +1,11 @@
+FEcn3FsokFfihSV258MgYfenq5/VD5lt8KuHzBPSkd/fKYNOvwTAYeW8g1bJkbJS
+G0hciuERjvvhwwLr7Pv4KE5EmIvyskTlRMandeEQSEdzumIN+QqdUqCbnEJiCfs3
+gkBKmhLGlqs5gl7SucbXqcId0834Ms1LVHgAgSy41LiKaxEYGY/SFpt96IO9EV7y
+QDT/Je2UPHGJHT1jEZlTAxOqZ0qELKLkDXgZDZuv5NIiDUJJ0c7ezICxknw86VWW
+ie2NdtI5AppDDJnps1JmBq3PgpY/+4GtpeqUurb6Y889DT08CUzNjC+Yn8wtkbG1
+29oLC0JI1ajmR66JkZeLZsjef7ubPtaprMtyCHV9bis75PkgDmcr2B2qoYxaDRXm
+cF1pWsBpwfnd3TcFlvIC0mO4jPrrFp/gEbLI8m1y/o8/1dOkCHuvpoRccVBaMqLJ
+nqB09SVJKiaL0h8fzCttHiLZtHppS+J6QCRHlE8jFElsgeldBz5Dsf9gLEkUgQus
+usK2pspsECiQTy4oBEOuIu7D3/WGDdI1fwJy//WTFv/AK5CcB2VIqkK++9Opk3P4
+IRWa37Ak9Cc0uhiUoSaoaIwwZg0g33uNnaVfu6R8ttQfBF3P6fnx7tx9Vl4M2vCW
+mn4nJ6cSlneOKhGvQzSiithVUCr7NZWsY+fJBbBdGAw=
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "flow-bin",
-  "version": "0.153.0",
+  "version": "0.154.0",
   "description": "Binary wrapper for Flow - A static type checker for JavaScript",
   "license": "MIT",
   "repository": "flowtype/flow-bin",
@@ -27,7 +27,9 @@
     "vendor",
     "cli.js",
     "index.js",
-    "SHASUM256.txt"
+    "SHASUM256.txt",
+    "SHASUM256.txt.sign",
+    "signing.pem"
   ],
   "keywords": [
     "cli-app",

diff --git a/signing.pem b/signing.pem
@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqnqv+vVufvlswdMLIXn
+plgW1Yvtp8WHQqx9VSiSyCa7p/bk6JhShnoFlu8/3xlxGRd5Fmjeyf9U3JzZb/Av
+2kRYbvyKicOPh0bFOb7HqOBnFK5+ZDNzxS4nvRZ1ylJyPJFHD/nSKfum2jdupWVb
+v0f9Efzfy+5XHDbZIGT5qkUY1BT8O6n3NErMLLCj6Fj74uXjyjk7qIlIOWYFZtzY
+PF5eCsYEXqVQP3sMvhtX7TjT/25CpGzy6KFY9Jr2h0bUh7gXCou90yPS8bjVUyqJ
+jojHcrTfWqDtDLzqSFTW0UtgRf/E38Tz6hQjoN9ud3RnDX2Vr9kq+FLdZ1TZDahZ
+B7QW7SoZIYnuYeH51GcRNaMom65tlp5YGG88XWL0/Fm6yZBxyYbq/gRBx8u8XI3U
+EFNiWgExLyoqLnivIiav7/AizpZ6ZS4wKgRHfy2TN1cx47ehL4QNoEP+wszBzb8D
+VO/i/E3QR+yIK9m+9W0yp004/bvTtZFHuUAw6/VW0VvYR09/fbmMo8c9Gw5PEfQW
++GtlUXhB+oG1+g2HRDntIK1EfRC3lTxJ0G81bOJo0FSQQ+7nXcOZF6qCb1wQAf5J
+hEcgJfmg2VkyLrTPPWnzO/9n32FkRbh1VNLVarLbLf0SshTvBZbVySlDJN86U5yL
+aYHEGQW9kbnoE7XNU+FSkxcCAwEAAQ==
+-----END PUBLIC KEY-----