From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.text.pandoc/32577 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stephan Meijer Newsgroups: gmane.text.pandoc Subject: Re: Digitally Signed Outputs Date: Tue, 9 May 2023 17:30:13 -0700 (PDT) Message-ID: <7fd9f105-5d95-46ae-bf51-37c00c3532b7n@googlegroups.com> References: <5f41500c-54d8-43ca-855b-e2acfd0779dfn@googlegroups.com> <73c2358c-ef08-411f-94e7-0d55e14b29b7n@googlegroups.com> <4fffb9ee-436c-4356-88d1-6c918d3b44e8n@googlegroups.com> Reply-To: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_3696_77146925.1683678613916" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="19677"; mail-complaints-to="usenet@ciao.gmane.io" To: pandoc-discuss Original-X-From: pandoc-discuss+bncBCYOPL5A34MBBF6L5ORAMGQEXZVXECA-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Wed May 10 02:30:18 2023 Return-path: Envelope-to: gtp-pandoc-discuss@m.gmane-mx.org Original-Received: from mail-oa1-f64.google.com ([209.85.160.64]) by ciao.gmane.io with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1pwXik-0004wd-2U for gtp-pandoc-discuss@m.gmane-mx.org; Wed, 10 May 2023 02:30:18 +0200 Original-Received: by mail-oa1-f64.google.com with SMTP id 586e51a60fabf-19297b852cfsf45193678fac.0 for ; Tue, 09 May 2023 17:30:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20221208; t=1683678617; x=1686270617; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:x-original-sender :mime-version:subject:references:in-reply-to:message-id:to:from:date :sender:from:to:cc:subject:date:message-id:reply-to; bh=6FgBrPE+uADXWAX/jQvvf/hnXi/7lSj0DgSJ7jedqOo=; b=Ys14A+O+c+ag/qWSit8HRZ+o1TAqi2Nc69uPuMJl0MxCrP9/jEKitRF8XWsXcSCZ/Z kHacZjAZVv4KkQNvBdUQP7/D5cIk3YC0zCSnoDBgR9aivYPjpE0eDGr+PrMHAqmXZCLP aWxA24v7Lr4PaKt24piU6ihQZaHJNL0EcQcWHcWRU+jglK4ZUYSyk3Tt12Nard1+EBub ESMDle+DbwLW2NWzfbiVAzgezwYc3dneJpVecfUKs4aMBERfVlW7U9pX7wf2Rm9sLH+J BqtO3MxC1Ov0VSTEzlnubNtrBsqcRqLbnhwuO7Mc4rc2boMUsuvPE+NojupJLjxChm6Z K6ZQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stephanmeijer-com.20221208.gappssmtp.com; s=20221208; t=1683678617; x=1686270617; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:x-original-sender :mime-version:subject:references:in-reply-to:message-id:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=6FgBrPE+uADXWAX/jQvvf/hnXi/7lSj0DgSJ7jedqOo=; b=sAjnOFB29oljB2VG7CTc71Wg0Er+RJtSVHL2gpdVAi6dLf2unvazWbA8hkQadq0VB0 U9Z695b375BP1lDQ6Zl3uf6SLiQuT7WnqyMUzxOgc2kllsJjizMxXfhibGXgHBCCxvTg nXXRLHDNp4QcwZ8KYqlVmw6m71wXDYGS4mwSgJjYhZruff1GkljEG1TWv+21AR2Ld53H DEVJBOO6GihYbZJMxRfANTYM6cxclED6wGIiX9iAWrjxi8j3iGaFQIHmMQg2oIRtXn37 w+vHOgQGp0ueGAPQlZtuqPMJ2gJUxAoc/Z2/wlHOUy2oJS1CruiR4TqJ2RFonpmOL4Bc tGVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683678617; x=1686270617; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-sender:mime-version:subject:references:in-reply-to :message-id:to:from:date:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=6FgBrPE+uADXWAX/jQvvf/hnXi/7lSj0DgSJ7jedqOo=; b=anI55ExKFScgGuA+pGCeJ8MrT6YiDqLEHwl+UvNp9b1snVdux2LyYgRx5QxCPaTN++ WIUhSRTmowzIBPdv7cRHPdEUIpmMyLmpXS6pw7OgiVnBcdPslIEMq8ll8ng6lTMK9Gla lGBn156374HjwNZBEf801qSbm5+SjKxdZtS1Zi20sO8imRw9ESMp83y7+BCu9aBKTCAb kfOgBiKxRG+e9uMvAAD3CpR4TMh47sny9sHE9StLVLvD0y8CWk8p8/U1lv9Deia+oWo5 mF5NOx8dX23KenOjs0oj7uh4txJWmpW+8ov8Wxhnbp4yjxIC28 Original-Sender: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org X-Gm-Message-State: AC+VfDyxDvpZw29+ICvfZgpswEHKJmrMYWWKpe4WspO4htDt799SpBlo 0z8rX7pKHaSaU70d/O1Nclo= X-Google-Smtp-Source: ACHHUZ6/rgez5G0NfOyU7TLA4dOrnUcNIZ2vN9UZ9nMFNLKbZoxf4rbwrLiQP8pgreL30EUttl7I7Q== X-Received: by 2002:a05:6808:17a5:b0:394:1a7c:61b9 with SMTP id bg37-20020a05680817a500b003941a7c61b9mr1231144oib.5.1683678616902; Tue, 09 May 2023 17:30:16 -0700 (PDT) X-BeenThere: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Original-Received: by 2002:a05:6870:9d9b:b0:195:ca3e:57ec with SMTP id pv27-20020a0568709d9b00b00195ca3e57ecls3474169oab.6.-pod-prod-gmail; Tue, 09 May 2023 17:30:14 -0700 (PDT) X-Received: by 2002:a05:6870:d05:b0:196:142:407b with SMTP id mk5-20020a0568700d0500b001960142407bmr2828234oab.7.1683678614507; Tue, 09 May 2023 17:30:14 -0700 (PDT) In-Reply-To: <4fffb9ee-436c-4356-88d1-6c918d3b44e8n-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> X-Original-Sender: me-nPKYAObcRdo6Blr+0TYHagC/G2K4zDHf@public.gmane.org Precedence: list Mailing-list: list pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org; contact pandoc-discuss+owners-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org List-ID: X-Google-Group-Id: 1007024079513 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Xref: news.gmane.io gmane.text.pandoc:32577 Archived-At: ------=_Part_3696_77146925.1683678613916 Content-Type: multipart/alternative; boundary="----=_Part_3697_497588220.1683678613916" ------=_Part_3697_497588220.1683678613916 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable You might even be able to sign any existing PDF documents using just openss= l=20 . On Wednesday, 10 May 2023 at 02:24:05 UTC+2 Stephan Meijer wrote: > Please keep in mind that when people are able to hack into your CI=20 > pipelines, they can still tamper anyway. > > Maybe you can sign the PDF after generating it? Maybe take a lookt at=20 > https://pypi.org/project/endesive/ > > On Tuesday, 9 May 2023 at 23:08:19 UTC+2 Malcolm Nixon wrote: > >> Yes, PDF/A (when combined with a digital signature such as PAdES) looks= =20 >> to be ideal in creating long-term tamper-resistant artifacts such as=20 >> release notes or test reports in CI pipelines. >> >> I found the PDF/A documentation and tried giving it a shot; however it= =20 >> looks like it only works with the ConTeXt engine, and the pandoc docker= =20 >> images only come with LaTeX. >> >> I might have to take a diversion and look into docker ;) >> >> Many thanks, >> >> - Malcolm >> >> On Tuesday, May 9, 2023 at 6:52:19=E2=80=AFAM UTC-4 Stephan Meijer wrote= : >> >>> With digitally signed, do you mean PDF/A? >>> >>> Pandoc has some info about it on their FAQ:=20 >>> https://pandoc.org/faqs.html#how-can-i-produce-pdfa-with-pandoc >>> >>> Hope I was of any help. >>> >>> Stephan >>> >>> On Tuesday, 2 May 2023 at 00:42:57 UTC+2 Malcolm Nixon wrote: >>> >>>> Greetings all, >>>> >>>> I'm looking to use Pandoc to generate digitally-signed PDFs from a CI= =20 >>>> workflow - specifically the digital signature would be evidence that t= he=20 >>>> document hasn't been tampered with. >>>> >>>> While the underlying Miktek PDF generator has a "digsig" package, it= =20 >>>> looks like Pandoc doesn't have any command-line options for triggering= the=20 >>>> signing of the output. >>>> >>>> Am I missing something in the documentation (such as some means of=20 >>>> specifying custom miktek extensions).=20 >>>> >>>> Many thanks, >>>> - Malcolm >>>> >>> --=20 You received this message because you are subscribed to the Google Groups "= pandoc-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/= pandoc-discuss/7fd9f105-5d95-46ae-bf51-37c00c3532b7n%40googlegroups.com. ------=_Part_3697_497588220.1683678613916 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable You might even be able to sign any existing PDF documents using just openssl .

On Wednesday, 10 May 2023 at 02:24:= 05 UTC+2 Stephan Meijer wrote:
Please keep in mind that when people are able to hack int= o your CI pipelines, they can still tamper anyway.

Maybe= you can sign the PDF after generating it? Maybe take a lookt at=C2=A0https://pypi.org/project/endesiv= e/

On Tuesday, 9 May 2023 at 23:08:19 UTC+2 Malcolm Nixon wrote:
Yes, PDF/A (when combine= d with a digital signature such as PAdES) looks to be ideal in creating lon= g-term tamper-resistant artifacts such as release notes or test reports in = CI pipelines.

I found the PDF/A documentation and tried giving it a = shot; however it looks like it only works with the ConTeXt engine, and the = pandoc docker images only come with LaTeX.

I might have = to take a diversion and look into docker ;)

Many t= hanks,

=C2=A0 =C2=A0 - Malcolm

On Tuesd= ay, May 9, 2023 at 6:52:19=E2=80=AFAM UTC-4 Stephan Meijer wrote:
=
With digitally signed, do you m= ean PDF/A?

Pandoc has some info about it on their FAQ:= =C2=A0https://pandoc.org/faqs.html#how-can= -i-produce-pdfa-with-pandoc

Hope I was of any = help.

Stephan

On Tuesday, 2 May 2023 at 00:42:= 57 UTC+2 Malcolm Nixon wrote:
Greetings all,

I'm looking to use Pandoc to = generate digitally-signed PDFs from a CI workflow - specifically the digita= l signature would be evidence that the document hasn't been tampered wi= th.

While the underlying Miktek PDF generator has = a "digsig" package, it looks like Pandoc doesn't have any com= mand-line options for triggering the signing of the output.

<= /div>
Am I missing something in the documentation (such as some means o= f specifying custom miktek extensions).=C2=A0

Many= thanks,
=C2=A0- Malcolm

--
You received this message because you are subscribed to the Google Groups &= quot;pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to pand= oc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org.
To view this discussion on the web visit https://groups.google.com/d= /msgid/pandoc-discuss/7fd9f105-5d95-46ae-bf51-37c00c3532b7n%40googlegroups.= com.
------=_Part_3697_497588220.1683678613916-- ------=_Part_3696_77146925.1683678613916--