From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.text.pandoc/32593 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Malcolm Nixon Newsgroups: gmane.text.pandoc Subject: Re: Digitally Signed Outputs Date: Wed, 10 May 2023 13:48:46 -0700 (PDT) Message-ID: <4c8954d3-5676-4ff4-b68d-23b1e7c4901dn@googlegroups.com> References: <5f41500c-54d8-43ca-855b-e2acfd0779dfn@googlegroups.com> <73c2358c-ef08-411f-94e7-0d55e14b29b7n@googlegroups.com> <871qjoscsn.fsf@zeitkraut.de> Reply-To: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_1642_941179138.1683751726791" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="25842"; mail-complaints-to="usenet@ciao.gmane.io" To: pandoc-discuss Original-X-From: pandoc-discuss+bncBDPLRZ7U3EFRBMEG6CRAMGQEF3EXMTY-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Wed May 10 22:48:51 2023 Return-path: Envelope-to: gtp-pandoc-discuss@m.gmane-mx.org Original-Received: from mail-oo1-f59.google.com ([209.85.161.59]) by ciao.gmane.io with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pwqjz-0006Va-CF for gtp-pandoc-discuss@m.gmane-mx.org; Wed, 10 May 2023 22:48:51 +0200 Original-Received: by mail-oo1-f59.google.com with SMTP id 006d021491bc7-54f6b5c7cadsf3231506eaf.2 for ; Wed, 10 May 2023 13:48:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20221208; t=1683751730; x=1686343730; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:x-original-sender :mime-version:subject:references:in-reply-to:message-id:to:from:date :sender:from:to:cc:subject:date:message-id:reply-to; bh=LJLP4Nfadx9Ea9NG2/5xVk8SdDP+JeRBpgKb1VcyWx0=; b=UM702/EWX3TxmFrjS4ad5cSi5CxaIYLNps08JbvSQY5v23z47V62dWLUYh2et7+FGe Gv69RBvjg0w8YDHiK4NV2lJfM6bnsqdll4mmOhiT39t+pl5l9czfnpnAll2iOfTOCdCN Ro8pS31Oih/G7czBb2sFowySoLqUN7eiVSlUEEsttIYhhj04uMi2jlawemUp6mcj9VpT GnDhOts2VfNgCtzYvdpejX6qltHA1FAUMfb3Cbd7WQTlXoK7KGE+WKKK4bA5CUzd9I8U hT/HZ0muihHmJl+GzYGC6ffQquuzXDIxqQBpvgYlXq+JfDSGlUWf2jkDoiHTO3qCmKmh B9Hg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683751730; x=1686343730; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:x-original-sender :mime-version:subject:references:in-reply-to:message-id:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=LJLP4Nfadx9Ea9NG2/5xVk8SdDP+JeRBpgKb1VcyWx0=; b=cGVMmN/U7JFySXYPCoCk2YSOXN5dZ1LrxCJZv/r8g0xc67ftt3m8deoDDSuwieZM0s VTTKQEJDe+L4b3Y70H1Ve92/Le5mwgY9nyAudAe7cApDSlIRR/Dei+03VG3PtaqTo4Dx xJJMHzMisH3GVZ1wZdVwXJapPS0/8JTMC/skDP2gwQ8l+RPgoyq4zO8rsOJ3lfX/ukbq yrSCAyYvvgk1JzsoWsTqte46qxDyShi1VHv3fWiQ7YJGInKN5GxUPJ+kG7Ak2r1fF9wl XgYSlyBxDt09cYtoHow/mtwAjZ9drPEzEbh3+aXgHyqvWe0mIkfpqjXIadYZETMOw5mK 6TLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683751730; x=1686343730; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-sender:mime-version:subject:references:in-reply-to :message-id:to:from:date:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=LJLP4Nfadx9Ea9NG2/5xVk8SdDP+JeRBpgKb1VcyWx0=; b=f9k3jequpevBtMIx86ADYF4kjs3XOFrDntCNlQe6twFMxBxFc8OQQqtP7r1PaviQB1 og9DH4KIT031Fhetsv9gynxTicjxOJVlOSIncF8XMNdJFQv/0XE3XglZI0AcF7akwvIj yXAvAT4Nr7orKz4JY4URb3ijoIuSyECNA7rYtfxH4OMHMUciGuWjtd8fmI7Ubcik/sqA EqldWfESahE9gcVnj0wnLYA9Mx+fvaBkv1sFz6bQgMhQiwKyibRfEfIxBBfvZNFi/ydg F0Ezb1vVmjHp3zxspHCowfSikJS8mv4ozzlePw1B8QmQ+G9VOW Original-Sender: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org X-Gm-Message-State: AC+VfDx3qop/ENzjR70rm6QQ5nBBZBK0GhC8qRB+Fedg7ETHdBLWskT7 /8txUZoAWqRrp4cDINFFzEY= X-Google-Smtp-Source: ACHHUZ7YIn8ECOYC/0RVN73KumX0w4jz2LY5NzWtgUq87gWanghdZZZ1cbEcmvaFdFzGMFq8bTDAaQ== X-Received: by 2002:a05:6870:1359:b0:192:aa9c:e870 with SMTP id 25-20020a056870135900b00192aa9ce870mr7562326oac.6.1683751730092; Wed, 10 May 2023 13:48:50 -0700 (PDT) X-BeenThere: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Original-Received: by 2002:a4a:e394:0:b0:547:6066:abe6 with SMTP id l20-20020a4ae394000000b005476066abe6ls175633oov.1.-pod-prod-00-us; Wed, 10 May 2023 13:48:47 -0700 (PDT) X-Received: by 2002:a4a:b808:0:b0:547:4b06:e73e with SMTP id g8-20020a4ab808000000b005474b06e73emr2060529oop.0.1683751727403; Wed, 10 May 2023 13:48:47 -0700 (PDT) In-Reply-To: X-Original-Sender: Malcolm.Nixon-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org Precedence: list Mailing-list: list pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org; contact pandoc-discuss+owners-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org List-ID: X-Google-Group-Id: 1007024079513 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Xref: news.gmane.io gmane.text.pandoc:32593 Archived-At: ------=_Part_1642_941179138.1683751726791 Content-Type: multipart/alternative; boundary="----=_Part_1643_430240959.1683751726791" ------=_Part_1643_430240959.1683751726791 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable All the big players in the CI space have methods for providing secrets to= =20 the CI pipeline scripts: - https://docs.github.com/en/actions/security-guides/encrypted-secrets - https://learn.microsoft.com/en-us/azure/devops/pipelines/process/set-sec= ret-variables - https://docs.gitlab.com/charts/installation/secrets.html Two approaches that seem common is to store the passphrase in the secrets= =20 manager, but check in the certificate file to the repository; or=20 alternatively also store the certificate as a base64-encoded string in the= =20 secrets manager and have the script export it temporarily to file before=20 use.=20 Admittedly it would be more secure if CI tools came with signing=20 capabilities built in - rather than having to inject secrets as arguments= =20 into a CI pipeline script which could be inadvertently/maliciously modified= =20 by a PR to try and leak the secrets (script injection attacks). The CI=20 tools try to redact secrets from logs, but no system is perfect. Security= =20 hardening of pipelines is an entire research topic ;) I'm mostly interested in creating tamper-resistant records (attestations)= =20 describing what was performed in the creation of an artifact and can be=20 copied around with the artifacts. The digital-signature is only for=20 tamper-resistance and wouldn't be used to signify suitability for=20 distribution. If there's a lengthy gap between the creation of the record= =20 and its signing, then it opens a window for tampering before signature.=20 That's one of the benefits of emitting the record pre-signed. On Wednesday, May 10, 2023 at 2:45:11=E2=80=AFPM UTC-4 Leonard Rosenthol wr= ote: > After you resolve how to setup the pipeline - the next (bigger?) issue is= =20 > where will you get a digital certificate from? How/where will you store = it=20 > so your CI can find it? And how will you safely/securely provide the=20 > passphrase for the key to the signing process? > > Leonard > > On May 10, 2023 at 6:21:58 AM, Albert Krewinkel = =20 > wrote: > >> >> Malcolm Nixon writes: >> >> I found the PDF/A documentation and tried giving it a shot; however >> >> it looks like it only works with the ConTeXt engine, and the pandoc >> >> docker images only come with LaTeX. >> >> >> I might have to take a diversion and look into docker ;) >> >> >> Run this: >> >> printf 'FROM pandoc/latex\nRUN tlmgr install context' | \ >> docker build -t pandoc/context - >> >> Now you have a pandoc/context Docker image. >> >> >> --=20 >> Albert Krewinkel >> GPG: 8eed e3e2 e8c5 6f18 81fe e836 388d c0b2 1f63 1124 >> >> --=20 >> You received this message because you are subscribed to the Google Group= s=20 >> "pandoc-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n=20 >> email to pandoc-discus...-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org >> To view this discussion on the web visit=20 >> https://groups.google.com/d/msgid/pandoc-discuss/871qjoscsn.fsf%40zeitkr= aut.de >> . >> > --=20 You received this message because you are subscribed to the Google Groups "= pandoc-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/= pandoc-discuss/4c8954d3-5676-4ff4-b68d-23b1e7c4901dn%40googlegroups.com. ------=_Part_1643_430240959.1683751726791 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable All the big players in the CI space have methods for providing secrets to t= he CI pipeline scripts:
=C2=A0-=C2=A0https://docs.github.com/en/actions= /security-guides/encrypted-secrets
=C2=A0-=C2=A0https://learn.mic= rosoft.com/en-us/azure/devops/pipelines/process/set-secret-variables
<= div>=C2=A0-=C2=A0https://docs.gitlab.com/charts/installation/secrets.html

Two approaches that seem common is to store the p= assphrase in the secrets manager, but check in the certificate file to the = repository; or alternatively also store the certificate as a base64-encoded= string in the secrets manager and have the script export it temporarily to= file before use.=C2=A0

Admittedly it would= be more secure if CI tools came with signing capabilities built in - rathe= r than having to inject secrets as arguments into a CI pipeline script whic= h could be inadvertently/maliciously modified by a PR to try and leak the s= ecrets (script injection attacks). The CI tools try to redact secrets from = logs, but no system is perfect. Security hardening of pipelines is an entir= e research topic ;)

I'm mostly interested = in creating tamper-resistant records (attestations) describing what was per= formed in the creation of an artifact and can be copied around with the art= ifacts. The digital-signature is only for tamper-resistance and wouldn't be= used to signify suitability for distribution. If there's a lengthy gap bet= ween the creation of the record and its signing, then it opens a window for= tampering before signature. That's one of the benefits of emitting the rec= ord pre-signed.

On Wednesday, May 10, 2023 at 2:45:11=E2=80= =AFPM UTC-4 Leonard Rosenthol wrote:
After you resolve how to setup the pipeline - the next (bigger?) issue = is where will you get a digital certificate from?=C2=A0 How/where will you = store it so your CI can find it?=C2=A0 And how will you safely/securely pro= vide the passphrase for the key to the signing process?

Leonard

On May 10, 2023 at 6:21:58 AM, Al= bert Krewinkel <albert...@zei= tkraut.de> wrote:

Malcolm Nixon <malcol= ...@gmail.com> writes:

I found the= PDF/A documentation and tried giving it a shot; however
it looks like it only works with the ConTeXt engin= e, and the pandoc
docker images = only come with LaTeX.

I might have to take a diversion and look = into docker ;)

Run this:

=C2=A0=C2=A0=C2=A0prin= tf 'FROM pandoc/latex\nRUN tlmgr install context' | \
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0docker build -t pandoc/context -

Now you have a= pandoc/context Docker image.


--
Albert Krewinkel
GPG: 8e= ed e3e2 e8c5 6f18 81fe =C2=A0e836 388d c0b2 1f63 1124

--
You received t= his message because you are subscribed to the Google Groups "pandoc-di= scuss" group.
To unsubscribe from this group and stop receiving ema= ils from it, send an email to pa= ndoc-discus...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org.
To view this discussion on the web = visit https://g= roups.google.com/d/msgid/pandoc-discuss/871qjoscsn.fsf%40zeitkraut.de.<= br>

--
You received this message because you are subscribed to the Google Groups &= quot;pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to pand= oc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org.
To view this discussion on the web visit https://groups.google.com/d= /msgid/pandoc-discuss/4c8954d3-5676-4ff4-b68d-23b1e7c4901dn%40googlegroups.= com.
------=_Part_1643_430240959.1683751726791-- ------=_Part_1642_941179138.1683751726791--