From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.text.pandoc/32576 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stephan Meijer Newsgroups: gmane.text.pandoc Subject: Re: Digitally Signed Outputs Date: Tue, 9 May 2023 17:24:05 -0700 (PDT) Message-ID: <4fffb9ee-436c-4356-88d1-6c918d3b44e8n@googlegroups.com> References: <5f41500c-54d8-43ca-855b-e2acfd0779dfn@googlegroups.com> <73c2358c-ef08-411f-94e7-0d55e14b29b7n@googlegroups.com> Reply-To: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_4288_57068399.1683678245251" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31435"; mail-complaints-to="usenet@ciao.gmane.io" To: pandoc-discuss Original-X-From: pandoc-discuss+bncBCYOPL5A34MBBJ6I5ORAMGQEV7JPBDY-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Wed May 10 02:24:12 2023 Return-path: Envelope-to: gtp-pandoc-discuss@m.gmane-mx.org Original-Received: from mail-ot1-f58.google.com ([209.85.210.58]) by ciao.gmane.io with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pwXcp-0007zr-Br for gtp-pandoc-discuss@m.gmane-mx.org; Wed, 10 May 2023 02:24:11 +0200 Original-Received: by mail-ot1-f58.google.com with SMTP id 46e09a7af769-6ab15a57269sf1459936a34.3 for ; Tue, 09 May 2023 17:24:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20221208; t=1683678250; x=1686270250; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:x-original-sender :mime-version:subject:references:in-reply-to:message-id:to:from:date :sender:from:to:cc:subject:date:message-id:reply-to; bh=XCprn6Jah93nYaqFM/U1vWD2V5fezBywzkgPBW4FQdo=; b=PLaG9xZbevUXDDy4c+2HziKIKJ+1ldh/XJcS0ewSsA2XSV9VLfbfnpKLs8L6AY/UoF alPDJakbplOMekMspCtistpnpn79PnO1stveZyyUnFYhQW/4HhOg8hX2tEDpq8yinDeo KgknrQ/9nJ6F7MyBuQguc/wfEtUSn5+60cRUrPsRNYf+cGvx0bM7vz78IqV+Sibt9Xw4 rHc3/41QO8Ifr+kaI6CsvwS2AOb45Y1gM8zWkUYfBMRo0dWMQUjKGQbabY901ADGG9du tKJ3oMI8g4f21axVYd6yrgODcaXoOnI98in/GDT//p7WkcghNkwt7O3+bUJsF9aB4xbh m7nQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stephanmeijer-com.20221208.gappssmtp.com; s=20221208; t=1683678250; x=1686270250; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:x-original-sender :mime-version:subject:references:in-reply-to:message-id:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=XCprn6Jah93nYaqFM/U1vWD2V5fezBywzkgPBW4FQdo=; b=Hdd+l5SiylA5CURUyhojPX9nGFgBEOeDh1aBPf6nrvdSsb5a8ofJJb+149cJdras8W LaqcEe18UarGgFnwli0JohxtN1J1DUVSUN8DwcSCrzqn2uckTvA7iLvms/WxHZPJSALp arzQbBKMqaupFqmwO+S4sXl2bhk6JFAJRTqJnzKWlummPLwUC7EJr46+FBQ5eOp8p+94 S0kUeTUPgbY99S+Vw/fPRcCWnARCCXan7F7SH4qie6Qj1xeoDaj0HAmEimoy/yB3lKVE LWhVbWqHc0oGeJzUctFKffhnT7+RQMZIXRvYwVe5v2gQCBTH7rSz8u8I78NX67CoXg1F g+Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683678250; x=1686270250; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-sender:mime-version:subject:references:in-reply-to :message-id:to:from:date:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=XCprn6Jah93nYaqFM/U1vWD2V5fezBywzkgPBW4FQdo=; b=Jw6RnEqF67BpFwaE2ZuPdBm/343OuBjapsvqvqbjYjkZXDYVVtp8CVI+mnIhBHITGj yIwIuno098pBh8GipTKYLq+jdQtO9JpqvScn1EfexrAUtoA95XGYroDXJjLwjX0RFGok ePpA8DqDnKhmUF38D5g5yK6jq2CYfcfZWQIfcPSOQ6pH0xubmRbrXGS0q5dBI3KaqxtX s8pzgsNUlcpDibh5Z7OA7+8U5qc0bz2HklNSxTWBdWzwrgfTwtr37+E082Gg3zFrDBKc Y4AN7Ggg1U56ZhsrDHJwsipeyl/LtFawHQ7ToWMYn5K3VzxdIb Original-Sender: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org X-Gm-Message-State: AC+VfDxjf239kzMAA2aqmaSdjCzTVsE8oT/Qp2C37TcfxPa/JOK8fN9W LE5GGZhW14LzcIMAenZBY2U= X-Google-Smtp-Source: ACHHUZ5Bfam2BYRsj1bAa9N8JIAO2kmsAKzBMES/c+B6CTLvujJyRhcGIcfw6q4Df81B9grZaHB/0A== X-Received: by 2002:a9d:6f92:0:b0:6ab:1064:bd5a with SMTP id h18-20020a9d6f92000000b006ab1064bd5amr1293117otq.1.1683678250217; Tue, 09 May 2023 17:24:10 -0700 (PDT) X-BeenThere: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Original-Received: by 2002:a05:6870:3a0e:b0:196:416d:c3c7 with SMTP id du14-20020a0568703a0e00b00196416dc3c7ls279767oab.0.-pod-prod-06-us; Tue, 09 May 2023 17:24:06 -0700 (PDT) X-Received: by 2002:a05:6830:4c7:b0:6ab:cfe:cb3b with SMTP id s7-20020a05683004c700b006ab0cfecb3bmr1281881otd.4.1683678245908; Tue, 09 May 2023 17:24:05 -0700 (PDT) In-Reply-To: <73c2358c-ef08-411f-94e7-0d55e14b29b7n-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> X-Original-Sender: me-nPKYAObcRdo6Blr+0TYHagC/G2K4zDHf@public.gmane.org Precedence: list Mailing-list: list pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org; contact pandoc-discuss+owners-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org List-ID: X-Google-Group-Id: 1007024079513 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Xref: news.gmane.io gmane.text.pandoc:32576 Archived-At: ------=_Part_4288_57068399.1683678245251 Content-Type: multipart/alternative; boundary="----=_Part_4289_44651858.1683678245251" ------=_Part_4289_44651858.1683678245251 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Please keep in mind that when people are able to hack into your CI=20 pipelines, they can still tamper anyway. Maybe you can sign the PDF after generating it? Maybe take a lookt=20 at https://pypi.org/project/endesive/ On Tuesday, 9 May 2023 at 23:08:19 UTC+2 Malcolm Nixon wrote: > Yes, PDF/A (when combined with a digital signature such as PAdES) looks t= o=20 > be ideal in creating long-term tamper-resistant artifacts such as release= =20 > notes or test reports in CI pipelines. > > I found the PDF/A documentation and tried giving it a shot; however it=20 > looks like it only works with the ConTeXt engine, and the pandoc docker= =20 > images only come with LaTeX. > > I might have to take a diversion and look into docker ;) > > Many thanks, > > - Malcolm > > On Tuesday, May 9, 2023 at 6:52:19=E2=80=AFAM UTC-4 Stephan Meijer wrote: > >> With digitally signed, do you mean PDF/A? >> >> Pandoc has some info about it on their FAQ:=20 >> https://pandoc.org/faqs.html#how-can-i-produce-pdfa-with-pandoc >> >> Hope I was of any help. >> >> Stephan >> >> On Tuesday, 2 May 2023 at 00:42:57 UTC+2 Malcolm Nixon wrote: >> >>> Greetings all, >>> >>> I'm looking to use Pandoc to generate digitally-signed PDFs from a CI= =20 >>> workflow - specifically the digital signature would be evidence that th= e=20 >>> document hasn't been tampered with. >>> >>> While the underlying Miktek PDF generator has a "digsig" package, it=20 >>> looks like Pandoc doesn't have any command-line options for triggering = the=20 >>> signing of the output. >>> >>> Am I missing something in the documentation (such as some means of=20 >>> specifying custom miktek extensions).=20 >>> >>> Many thanks, >>> - Malcolm >>> >> --=20 You received this message because you are subscribed to the Google Groups "= pandoc-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/= pandoc-discuss/4fffb9ee-436c-4356-88d1-6c918d3b44e8n%40googlegroups.com. ------=_Part_4289_44651858.1683678245251 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Please keep in mind that when people are able to hack into your CI pipeline= s, they can still tamper anyway.

Maybe you can sign th= e PDF after generating it? Maybe take a lookt at=C2=A0https://pypi.org/proj= ect/endesive/

On Tuesday, 9 May 2023 at 23:08:19 UTC+2 Malcolm Nixo= n wrote:
Yes,= PDF/A (when combined with a digital signature such as PAdES) looks to be i= deal in creating long-term tamper-resistant artifacts such as release notes= or test reports in CI pipelines.

I found the PDF/A documentation an= d tried giving it a shot; however it looks like it only works with the ConT= eXt engine, and the pandoc docker images only come with LaTeX.

I might have to take a diversion and look into docker ;)
<= br>
Many thanks,

=C2=A0 =C2=A0 - Malcolm=

On Tuesday, May 9, 2023 at 6:52:19=E2=80=AFAM UTC-4 Stephan Mei= jer wrote:
With digita= lly signed, do you mean PDF/A?

Pandoc has some info abou= t it on their FAQ:=C2=A0https://pandoc.org= /faqs.html#how-can-i-produce-pdfa-with-pandoc

= Hope I was of any help.

Stephan

On Tuesday, 2 = May 2023 at 00:42:57 UTC+2 Malcolm Nixon wrote:
Greetings all,

I'm lookin= g to use Pandoc to generate digitally-signed PDFs from a CI workflow - spec= ifically the digital signature would be evidence that the document hasn'= ;t been tampered with.

While the underlying Miktek= PDF generator has a "digsig" package, it looks like Pandoc doesn= 't have any command-line options for triggering the signing of the outp= ut.

Am I missing something in the documentation (s= uch as some means of specifying custom miktek extensions).=C2=A0
=
Many thanks,
=C2=A0- Malcolm

--
You received this message because you are subscribed to the Google Groups &= quot;pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to pand= oc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org.
To view this discussion on the web visit https://groups.google.com/d= /msgid/pandoc-discuss/4fffb9ee-436c-4356-88d1-6c918d3b44e8n%40googlegroups.= com.
------=_Part_4289_44651858.1683678245251-- ------=_Part_4288_57068399.1683678245251--