Re: Digitally Signed Outputs

[Malcolm Nixon <malcolm.nixon-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>]

[-- Attachment #1.1: Type: text/plain, Size: 3520 bytes --]

All the big players in the CI space have methods for providing secrets to 
the CI pipeline scripts:
 - https://docs.github.com/en/actions/security-guides/encrypted-secrets
 - https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables
 - https://docs.gitlab.com/charts/installation/secrets.html

Two approaches that seem common is to store the passphrase in the secrets 
manager, but check in the certificate file to the repository; or 
alternatively also store the certificate as a base64-encoded string in the 
secrets manager and have the script export it temporarily to file before 
use. 

Admittedly it would be more secure if CI tools came with signing 
capabilities built in - rather than having to inject secrets as arguments 
into a CI pipeline script which could be inadvertently/maliciously modified 
by a PR to try and leak the secrets (script injection attacks). The CI 
tools try to redact secrets from logs, but no system is perfect. Security 
hardening of pipelines is an entire research topic ;)

I'm mostly interested in creating tamper-resistant records (attestations) 
describing what was performed in the creation of an artifact and can be 
copied around with the artifacts. The digital-signature is only for 
tamper-resistance and wouldn't be used to signify suitability for 
distribution. If there's a lengthy gap between the creation of the record 
and its signing, then it opens a window for tampering before signature. 
That's one of the benefits of emitting the record pre-signed.

On Wednesday, May 10, 2023 at 2:45:11 PM UTC-4 Leonard Rosenthol wrote:

> After you resolve how to setup the pipeline - the next (bigger?) issue is 
> where will you get a digital certificate from?  How/where will you store it 
> so your CI can find it?  And how will you safely/securely provide the 
> passphrase for the key to the signing process?
>
> Leonard
>
> On May 10, 2023 at 6:21:58 AM, Albert Krewinkel <albert...-9EawChwDxG8hFhg+JK9F0w@public.gmane.org> 
> wrote:
>
>>
>> Malcolm Nixon <malcol...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
>>
>> I found the PDF/A documentation and tried giving it a shot; however
>>
>> it looks like it only works with the ConTeXt engine, and the pandoc
>>
>> docker images only come with LaTeX.
>>
>>
>> I might have to take a diversion and look into docker ;)
>>
>>
>> Run this:
>>
>>    printf 'FROM pandoc/latex\nRUN tlmgr install context' | \
>>      docker build -t pandoc/context -
>>
>> Now you have a pandoc/context Docker image.
>>
>>
>> -- 
>> Albert Krewinkel
>> GPG: 8eed e3e2 e8c5 6f18 81fe  e836 388d c0b2 1f63 1124
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "pandoc-discuss" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to pandoc-discus...-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/pandoc-discuss/871qjoscsn.fsf%40zeitkraut.de
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups "pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/4c8954d3-5676-4ff4-b68d-23b1e7c4901dn%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 5320 bytes --]