Sun Dec 14 21:28:57 PST 2025

Author: 0x77dev

.envrc

@@ -5,4 +5,4 @@ has nix
 watch_dir nix
 watch_file flake.nix
 watch_file flake.lock
-use flake .
+use flake . -L --accept-flake-config

.github/workflows/ci.yml

@@ -10,6 +10,10 @@ jobs:
   build:
     name: Build (${{ matrix.name }})
     runs-on: ${{ matrix.runs_on }}
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -36,7 +40,6 @@ jobs:
         with:
           name: pdf-sign
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
-          skipPush: ${{ github.event_name == 'pull_request' }}
 
       - name: Build (flake)
         run: |
@@ -51,6 +54,11 @@ jobs:
           mkdir -p dist
           cp -L result/bin/pdf-sign "dist/pdf-sign-${{ runner.os }}-$(uname -m)"
 
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: dist/*
+
       - name: Upload artifact
         uses: actions/upload-artifact@v6
         with:
@@ -86,7 +94,6 @@ jobs:
         with:
           name: pdf-sign
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
-          skipPush: ${{ github.event_name == 'pull_request' }}
 
       - name: Build dev shell
         run: |

README.md

@@ -14,12 +14,18 @@ Many "enterprise PDF signing" solutions require a full **CMS/PKCS#7** / **X.509
 
 * **Two signing backends**: Choose between traditional GPG (with hardware key support) or modern Sigstore (keyless OIDC).
 * **Preserves PDF integrity**: Original PDF content unchanged; signatures appended after `%%EOF`.
-* **Multi-signer workflow**: Supports multiple signatures (GPG + Sigstore) on the same document.
+* **Multi-signer workflow**: Supports multiple signatures (GPG + Sigstore) on the same document, and/or multi-party signing.
 * **Privacy-preserving**: No extra PII embedded; library never logs sensitive data.
-* **Portable architecture**: Clean core library (WASM-ready) with pluggable backends.
 
 ## Quickstart
 
+### Install with Nix
+
+```bash
+nix profile install github:0x77dev/pdf-sign#pdf-sign
+pdf-sign --help
+```
+
 ### Install with Cargo
 
 ```bash
@@ -35,13 +41,6 @@ pdf-sign sign --backend sigstore document.pdf
 pdf-sign verify document_signed.pdf
 ```
 
-### Install with Nix
-
-```bash
-nix profile install github:0x77dev/pdf-sign#pdf-sign
-pdf-sign --help
-```
-
 ### Build from Source
 
 ```bash
@@ -211,7 +210,6 @@ pdf-sign apply-response document.pdf \
 
 * **Portable core**: PDF splitting, suffix parsing, digest abstraction (no CLI/UI deps).
 * **Pluggable backends**: Clean separation between GPG and Sigstore signing logic.
-* **WASM-ready**: Core library and backends compile to WebAssembly.
 * **Hash agility**: SHA-512 default with SRI-style encoding (`sha512-<base64>`).
 * **Versioned format**: Sigstore blocks use bilrost (efficient binary) with version tagging.
 * **Structured tracing**: Full `tracing` instrumentation (never logs sensitive data).
@@ -280,25 +278,6 @@ Versioned bilrost-encoded blocks with digest binding:
 * Network access (Fulcio, Rekor, OIDC provider)
 * No keys/certs required
 
-## Workspace Structure
-
-```text
-crates/
-├── core/      # Portable library (PDF, suffix, digest) - WASM-compatible
-├── gpg/       # OpenPGP backend (sequoia) - WASM-compatible
-├── sigstore/  # Sigstore keyless backend - WASM-compatible
-├── wasm/      # WebAssembly bindings with TypeScript definitions
-└── cli/       # CLI with UI/JSON/tracing setup - Native only
-```
-
-Modular design enables:
-
-* Backend-agnostic PDF processing
-* Full WASM support (core + gpg + sigstore)
-* Clean testing boundaries
-* Structured tracing without data leakage
-* TypeScript-first browser integration
-
 ## Environment Variables
 
 * `GNUPGHOME`: GPG keybox location (default: `~/.gnupg`)
@@ -382,37 +361,6 @@ pdf-sign apply-response sensitive.pdf \
 pdf-sign verify sensitive_signed.pdf
 ```
 
-### WASM in browser
-
-```bash
-# Build WASM package with Nix
-nix develop
-cd crates/wasm
-wasm-pack build --target web
-
-# Copy pkg/ to your web project
-cp -r pkg /path/to/your/web/project/
-```
-
-```javascript
-import init, { prepare_challenge, apply_response, verify_gpg } from './pkg/pdf_sign_wasm.js';
-
-await init();
-
-// Client-side GPG verification
-const pdfFile = await fetch('document_signed.pdf');
-const pdfBytes = new Uint8Array(await pdfFile.arrayBuffer());
-const result = verify_gpg(pdfBytes);
-
-if (result.valid) {
-  console.log('Valid signatures:');
-  result.gpg_signatures.forEach(sig => {
-    console.log(`  - ${sig.fingerprint}`);
-    sig.uids.forEach(uid => console.log(`    ${uid}`));
-  });
-}
-```
-
 ## License
 
-GPL-3.0-only
+GPL-3.0-only – See [`LICENSE`](./LICENSE).

flake.nix

@@ -4,9 +4,11 @@
   nixConfig = {
     extra-substituters = [
       "https://pdf-sign.cachix.org"
+      "https://nix-community.cachix.org"
     ];
     extra-trusted-public-keys = [
       "pdf-sign.cachix.org-1:RjOq/uF6ksxVZsLfI9+SW4Nkhcc63+klWAoAtkZRF2U="
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
     ];
   };
 

nix/package.nix

@@ -54,6 +54,30 @@ rec {
         mainProgram = "pdf-sign";
         platforms = platforms.unix;
       };
+
+      passthru.image = image;
     }
   );
+
+  image = pkgs.dockerTools.buildLayeredImage {
+    name = "ghcr.io/0x77dev/pdf-sign";
+    tag = "latest";
+
+    contents = [ pdfSign ];
+
+    config = {
+      Cmd = [ "${lib.getExe pdfSign}" ];
+      WorkingDir = "/work";
+      Env = [
+        "GNUPGHOME=/gnupg"
+      ];
+      ExposedPorts = {
+        "8080/tcp" = { };
+      };
+      Volumes = {
+        "/gnupg" = { };
+        "/work" = { };
+      };
+    };
+  };
 }