All the big players in the CI space have methods for providing secrets to the CI pipeline scripts: - https://docs.github.com/en/actions/security-guides/encrypted-secrets - https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables - https://docs.gitlab.com/charts/installation/secrets.html Two approaches that seem common is to store the passphrase in the secrets manager, but check in the certificate file to the repository; or alternatively also store the certificate as a base64-encoded string in the secrets manager and have the script export it temporarily to file before use. Admittedly it would be more secure if CI tools came with signing capabilities built in - rather than having to inject secrets as arguments into a CI pipeline script which could be inadvertently/maliciously modified by a PR to try and leak the secrets (script injection attacks). The CI tools try to redact secrets from logs, but no system is perfect. Security hardening of pipelines is an entire research topic ;) I'm mostly interested in creating tamper-resistant records (attestations) describing what was performed in the creation of an artifact and can be copied around with the artifacts. The digital-signature is only for tamper-resistance and wouldn't be used to signify suitability for distribution. If there's a lengthy gap between the creation of the record and its signing, then it opens a window for tampering before signature. That's one of the benefits of emitting the record pre-signed. On Wednesday, May 10, 2023 at 2:45:11 PM UTC-4 Leonard Rosenthol wrote: > After you resolve how to setup the pipeline - the next (bigger?) issue is > where will you get a digital certificate from? How/where will you store it > so your CI can find it? And how will you safely/securely provide the > passphrase for the key to the signing process? > > Leonard > > On May 10, 2023 at 6:21:58 AM, Albert Krewinkel > wrote: > >> >> Malcolm Nixon writes: >> >> I found the PDF/A documentation and tried giving it a shot; however >> >> it looks like it only works with the ConTeXt engine, and the pandoc >> >> docker images only come with LaTeX. >> >> >> I might have to take a diversion and look into docker ;) >> >> >> Run this: >> >> printf 'FROM pandoc/latex\nRUN tlmgr install context' | \ >> docker build -t pandoc/context - >> >> Now you have a pandoc/context Docker image. >> >> >> -- >> Albert Krewinkel >> GPG: 8eed e3e2 e8c5 6f18 81fe e836 388d c0b2 1f63 1124 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pandoc-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to pandoc-discus...-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/pandoc-discuss/871qjoscsn.fsf%40zeitkraut.de >> . >> > -- You received this message because you are subscribed to the Google Groups "pandoc-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/4c8954d3-5676-4ff4-b68d-23b1e7c4901dn%40googlegroups.com.