You might even be able to sign any existing PDF documents using just openssl .
Please keep in mind that when people are able to hack into your CI pipelines, they can still tamper anyway.Maybe you can sign the PDF after generating it? Maybe take a lookt at https://pypi.org/project/endesive/On Tuesday, 9 May 2023 at 23:08:19 UTC+2 Malcolm Nixon wrote:Yes, PDF/A (when combined with a digital signature such as PAdES) looks to be ideal in creating long-term tamper-resistant artifacts such as release notes or test reports in CI pipelines.
I found the PDF/A documentation and tried giving it a shot; however it looks like it only works with the ConTeXt engine, and the pandoc docker images only come with LaTeX.I might have to take a diversion and look into docker ;)Many thanks,- MalcolmOn Tuesday, May 9, 2023 at 6:52:19 AM UTC-4 Stephan Meijer wrote:With digitally signed, do you mean PDF/A?Pandoc has some info about it on their FAQ: https://pandoc.org/faqs.html#how-can-i-produce-pdfa-with-pandocHope I was of any help.StephanOn Tuesday, 2 May 2023 at 00:42:57 UTC+2 Malcolm Nixon wrote:Greetings all,I'm looking to use Pandoc to generate digitally-signed PDFs from a CI workflow - specifically the digital signature would be evidence that the document hasn't been tampered with.While the underlying Miktek PDF generator has a "digsig" package, it looks like Pandoc doesn't have any command-line options for triggering the signing of the output.Am I missing something in the documentation (such as some means of specifying custom miktek extensions).Many thanks,- Malcolm