From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.text.pandoc/32578
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Stephan Meijer <me-nPKYAObcRdo6Blr+0TYHagC/G2K4zDHf@public.gmane.org>
Newsgroups: gmane.text.pandoc
Subject: Re: Digitally Signed Outputs
Date: Tue, 9 May 2023 17:31:11 -0700 (PDT)
Message-ID: <18a7dc61-1f07-4d4d-90c1-02a6c4588c91n@googlegroups.com>
References: <5f41500c-54d8-43ca-855b-e2acfd0779dfn@googlegroups.com>
 <e2e27a0d-7044-4533-b2a6-f42634e84b78n@googlegroups.com>
 <73c2358c-ef08-411f-94e7-0d55e14b29b7n@googlegroups.com>
 <4fffb9ee-436c-4356-88d1-6c918d3b44e8n@googlegroups.com>
 <7fd9f105-5d95-46ae-bf51-37c00c3532b7n@googlegroups.com>
Reply-To: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_15210_1898980457.1683678671178"
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="23609"; mail-complaints-to="usenet@ciao.gmane.io"
To: pandoc-discuss <pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
Original-X-From: pandoc-discuss+bncBCYOPL5A34MBBUGL5ORAMGQE6UNWK2Y-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Wed May 10 02:31:15 2023
Return-path: <pandoc-discuss+bncBCYOPL5A34MBBUGL5ORAMGQE6UNWK2Y-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
Envelope-to: gtp-pandoc-discuss@m.gmane-mx.org
Original-Received: from mail-ot1-f56.google.com ([209.85.210.56])
	by ciao.gmane.io with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.92)
	(envelope-from <pandoc-discuss+bncBCYOPL5A34MBBUGL5ORAMGQE6UNWK2Y-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>)
	id 1pwXjf-0005xT-2B
	for gtp-pandoc-discuss@m.gmane-mx.org; Wed, 10 May 2023 02:31:15 +0200
Original-Received: by mail-ot1-f56.google.com with SMTP id 46e09a7af769-6ab0a992002sf821696a34.2
        for <gtp-pandoc-discuss@m.gmane-mx.org>; Tue, 09 May 2023 17:31:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20221208; t=1683678674; x=1686270674;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:x-original-sender
         :mime-version:subject:references:in-reply-to:message-id:to:from:date
         :sender:from:to:cc:subject:date:message-id:reply-to;
        bh=F6yJ/BRIkaek/e0VZl9WEjvljw9zk5hDn2vaCI9slf8=;
        b=Bimv2qQbLg1HEX0bkTR/Msq8rQdOpiV113QuJbmT4B9c7dQmdg99VQE0FOu4gez8Kf
         hBCOry80Tonw0c6yZSlSFJflq3i8/kHOft2Nz0psQiP1+vX3wcp0bbidqQUMw1WtNCHr
         hHoNaJxoI/TIdwydQW1xeKy/khTkcF2g7GlrXgddhYuR22/LNNo84IUzk6Uth6irbWVP
         DOQvrM+iDr14BfATzenkyvjVRPGruMPjSE258wKM5gxhliYhHhqSwVPebEzgMFGG8nWQ
         g+LJFzUT/9nt6who5CAOsz3cu0vm0pDY9V+SMTOIWoOK1w7k5xbVQ/Fy3OzjuYyd9S66
         hLlA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=stephanmeijer-com.20221208.gappssmtp.com; s=20221208; t=1683678674; x=1686270674;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:x-original-sender
         :mime-version:subject:references:in-reply-to:message-id:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=F6yJ/BRIkaek/e0VZl9WEjvljw9zk5hDn2vaCI9slf8=;
        b=sayjfiSt/PIHzj1w6fn/jYZHMw6ovYFXkvW8Tyru7aYczCe5phpFuhwHCYzUGN6YOA
         SWfv8cJl+WfhQAWiHIf51ZaYW+pDUXHh0UCQil6HrA9PFOAH+KKFmRMK/6awGi3CJPop
         0dsZ5feykFeXdoM9MWqPuLw95P+to8PLgOYlwGBofbwGkXPw2lw9Udohcon6y/awfe3T
         8awjl8auJHOVQHTCXEIcIZuvp6G8RpVM9f6dSYRBNVvpOHkGXyJk8P+PHgh6uBhE9SUR
         yuNu2Tp1NHn+lrcaWbg4sWP857GFQ/pGcob2tkUl44FFgoHMdnbm3TmHywPoWq8imKFv
         Z71w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1683678674; x=1686270674;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-sender:mime-version:subject:references:in-reply-to
         :message-id:to:from:date:x-beenthere:x-gm-message-state:sender:from
         :to:cc:subject:date:message-id:reply-to;
        bh=F6yJ/BRIkaek/e0VZl9WEjvljw9zk5hDn2vaCI9slf8=;
        b=I9vrX0sc8EgdzAKuQOyWGNSDTVzHZNdlFAciDTPNY0R7anFxEF+4KaI8qP2dL6ptSq
         WRaedQEr6lH+f17raSmF8kN9x2Hs7c9ozyIiJvdu8z+uMJGK30Re1RD3Vbn3AmRRaKXR
         x+llfL9FdFi7NMOXzSbP90XMt17pFocb6pLQuiuy6Eqq7IGMUJWcZTHNyvo0gAnZvE+X
         TwTdrfH2G4ARK9NkMdiH+kdQAjNWyt7USr61ryRQpGURafGC9z9pHqhi/nneofIX4Bnl
         ojFPDFv3Yyl84kmhgJDghAnnVi856Bv+oZuc6wmE6nOMMhCZcM 
Original-Sender: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
X-Gm-Message-State: AC+VfDwnqWu1qliLL5V6XDiP7G3+bDsMYgdICZaFVsZnSJ1v1IncmNUK
	7ry1RSDA3wxVGVvrpgoxfE4=
X-Google-Smtp-Source: ACHHUZ4Hsfr84gImJA3IOrpcD0lTpgpg49pj2qkT63QROe1KOGfwr3QLGi8gcHb2gPkfP2ywmxUhOA==
X-Received: by 2002:a05:6830:144:b0:6aa:f62f:ccf9 with SMTP id j4-20020a056830014400b006aaf62fccf9mr1163514otp.1.1683678673935;
        Tue, 09 May 2023 17:31:13 -0700 (PDT)
X-BeenThere: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
Original-Received: by 2002:a05:6870:3c87:b0:192:d467:746e with SMTP id
 gl7-20020a0568703c8700b00192d467746els4392771oab.8.-pod-prod-gmail; Tue, 09
 May 2023 17:31:12 -0700 (PDT)
X-Received: by 2002:a05:6870:1010:b0:187:ffb1:d3ee with SMTP id 16-20020a056870101000b00187ffb1d3eemr4472649oai.0.1683678671783;
        Tue, 09 May 2023 17:31:11 -0700 (PDT)
In-Reply-To: <7fd9f105-5d95-46ae-bf51-37c00c3532b7n-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
X-Original-Sender: me-nPKYAObcRdo6Blr+0TYHagC/G2K4zDHf@public.gmane.org
Precedence: list
Mailing-list: list pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org; contact pandoc-discuss+owners-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
List-ID: <pandoc-discuss.googlegroups.com>
X-Google-Group-Id: 1007024079513
List-Post: <https://groups.google.com/group/pandoc-discuss/post>, <mailto:pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
List-Help: <https://groups.google.com/support/>, <mailto:pandoc-discuss+help-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
List-Archive: <https://groups.google.com/group/pandoc-discuss
List-Subscribe: <https://groups.google.com/group/pandoc-discuss/subscribe>, <mailto:pandoc-discuss+subscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
List-Unsubscribe: <mailto:googlegroups-manage+1007024079513+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>,
 <https://groups.google.com/group/pandoc-discuss/subscribe>
Xref: news.gmane.io gmane.text.pandoc:32578
Archived-At: <http://permalink.gmane.org/gmane.text.pandoc/32578>

------=_Part_15210_1898980457.1683678671178
Content-Type: multipart/alternative; 
	boundary="----=_Part_15211_2119746582.1683678671178"

------=_Part_15211_2119746582.1683678671178
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Also see https://github.com/opensignature/pdfsign

On Wednesday, 10 May 2023 at 02:30:14 UTC+2 Stephan Meijer wrote:

> You might even be able to sign any existing PDF documents using just=20
> openssl .
>
> On Wednesday, 10 May 2023 at 02:24:05 UTC+2 Stephan Meijer wrote:
>
>> Please keep in mind that when people are able to hack into your CI=20
>> pipelines, they can still tamper anyway.
>>
>> Maybe you can sign the PDF after generating it? Maybe take a lookt at=20
>> https://pypi.org/project/endesive/
>>
>> On Tuesday, 9 May 2023 at 23:08:19 UTC+2 Malcolm Nixon wrote:
>>
>>> Yes, PDF/A (when combined with a digital signature such as PAdES) looks=
=20
>>> to be ideal in creating long-term tamper-resistant artifacts such as=20
>>> release notes or test reports in CI pipelines.
>>>
>>> I found the PDF/A documentation and tried giving it a shot; however it=
=20
>>> looks like it only works with the ConTeXt engine, and the pandoc docker=
=20
>>> images only come with LaTeX.
>>>
>>> I might have to take a diversion and look into docker ;)
>>>
>>> Many thanks,
>>>
>>>     - Malcolm
>>>
>>> On Tuesday, May 9, 2023 at 6:52:19=E2=80=AFAM UTC-4 Stephan Meijer wrot=
e:
>>>
>>>> With digitally signed, do you mean PDF/A?
>>>>
>>>> Pandoc has some info about it on their FAQ:=20
>>>> https://pandoc.org/faqs.html#how-can-i-produce-pdfa-with-pandoc
>>>>
>>>> Hope I was of any help.
>>>>
>>>> Stephan
>>>>
>>>> On Tuesday, 2 May 2023 at 00:42:57 UTC+2 Malcolm Nixon wrote:
>>>>
>>>>> Greetings all,
>>>>>
>>>>> I'm looking to use Pandoc to generate digitally-signed PDFs from a CI=
=20
>>>>> workflow - specifically the digital signature would be evidence that =
the=20
>>>>> document hasn't been tampered with.
>>>>>
>>>>> While the underlying Miktek PDF generator has a "digsig" package, it=
=20
>>>>> looks like Pandoc doesn't have any command-line options for triggerin=
g the=20
>>>>> signing of the output.
>>>>>
>>>>> Am I missing something in the documentation (such as some means of=20
>>>>> specifying custom miktek extensions).=20
>>>>>
>>>>> Many thanks,
>>>>>  - Malcolm
>>>>>
>>>>

--=20
You received this message because you are subscribed to the Google Groups "=
pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit https://groups.google.com/d/msgid/=
pandoc-discuss/18a7dc61-1f07-4d4d-90c1-02a6c4588c91n%40googlegroups.com.

------=_Part_15211_2119746582.1683678671178
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Also see=C2=A0https://github.com/opensignature/pdfsign<br /><br /><div clas=
s=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Wednesday, 10 M=
ay 2023 at 02:30:14 UTC+2 Stephan Meijer wrote:<br/></div><blockquote class=
=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(2=
04, 204, 204); padding-left: 1ex;">You might even be able to sign any exist=
ing PDF documents using just <font face=3D"Courier New">openssl</font> .<br=
><br><div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On W=
ednesday, 10 May 2023 at 02:24:05 UTC+2 Stephan Meijer wrote:<br></div><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 0.8ex;border-left:1px s=
olid rgb(204,204,204);padding-left:1ex">Please keep in mind that when peopl=
e are able to hack into your CI pipelines, they can still tamper anyway.<di=
v><br></div><div>Maybe you can sign the PDF after generating it? Maybe take=
 a lookt at=C2=A0<a href=3D"https://pypi.org/project/endesive/" rel=3D"nofo=
llow" target=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?=
hl=3Den-GB&amp;q=3Dhttps://pypi.org/project/endesive/&amp;source=3Dgmail&am=
p;ust=3D1683765015426000&amp;usg=3DAOvVaw1qiD1v-DZvFRLpmmroWkYG">https://py=
pi.org/project/endesive/</a><br><br></div><div class=3D"gmail_quote"><div d=
ir=3D"auto" class=3D"gmail_attr">On Tuesday, 9 May 2023 at 23:08:19 UTC+2 M=
alcolm Nixon wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0 0 0 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Ye=
s, PDF/A (when combined with a digital signature such as PAdES) looks to be=
 ideal in creating long-term tamper-resistant artifacts such as release not=
es or test reports in CI pipelines.<br><br>I found the PDF/A documentation =
and tried giving it a shot; however it looks like it only works with the Co=
nTeXt engine, and the pandoc docker images only come with LaTeX.<div><br></=
div><div>I might have to take a diversion and look into docker ;)</div><div=
><br></div><div>Many thanks,</div><div><br></div><div>=C2=A0 =C2=A0 - Malco=
lm</div><div><br></div><div class=3D"gmail_quote"><div dir=3D"auto" class=
=3D"gmail_attr">On Tuesday, May 9, 2023 at 6:52:19=E2=80=AFAM UTC-4 Stephan=
 Meijer wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
 0 0 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">With di=
gitally signed, do you mean PDF/A?<div><br></div><div>Pandoc has some info =
about it on their FAQ:=C2=A0<a href=3D"https://pandoc.org/faqs.html#how-can=
-i-produce-pdfa-with-pandoc" rel=3D"nofollow" target=3D"_blank" data-safere=
directurl=3D"https://www.google.com/url?hl=3Den-GB&amp;q=3Dhttps://pandoc.o=
rg/faqs.html%23how-can-i-produce-pdfa-with-pandoc&amp;source=3Dgmail&amp;us=
t=3D1683765015426000&amp;usg=3DAOvVaw30axRdCt68q7M8P18_KV3d">https://pandoc=
.org/faqs.html#how-can-i-produce-pdfa-with-pandoc</a></div><div><br></div><=
div>Hope I was of any help.</div><div><br></div><div>Stephan<br><br></div><=
div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Tuesday=
, 2 May 2023 at 00:42:57 UTC+2 Malcolm Nixon wrote:<br></div><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0 0 0 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex">Greetings all,<div><br></div><div>I&#39;m loo=
king to use Pandoc to generate digitally-signed PDFs from a CI workflow - s=
pecifically the digital signature would be evidence that the document hasn&=
#39;t been tampered with.</div><div><br></div><div>While the underlying Mik=
tek PDF generator has a &quot;digsig&quot; package, it looks like Pandoc do=
esn&#39;t have any command-line options for triggering the signing of the o=
utput.</div><div><br></div><div>Am I missing something in the documentation=
 (such as some means of specifying custom miktek extensions).=C2=A0</div><d=
iv><br></div><div>Many thanks,</div><div>=C2=A0- Malcolm</div></blockquote>=
</div></blockquote></div></blockquote></div></blockquote></div></blockquote=
></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;pandoc-discuss&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org">pand=
oc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/pandoc-discuss/18a7dc61-1f07-4d4d-90c1-02a6c4588c91n%40googlegro=
ups.com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d=
/msgid/pandoc-discuss/18a7dc61-1f07-4d4d-90c1-02a6c4588c91n%40googlegroups.=
com</a>.<br />

------=_Part_15211_2119746582.1683678671178--

------=_Part_15210_1898980457.1683678671178--