You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+22-5Lines changed: 22 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,23 @@
1
1
# pdf-sign
2
2
3
-
A minimalist, agent-centric PDF signing utility written in Rust utilizing. It generates Adobe-compliant detached PGP signatures appended to PDF documents while strictly delegating all cryptographic operations to the GPG Agent.
3
+
A lightweight, modern PDF signing utility written in Rust. It creates an Adobe-compatible detached OpenPGP (GPG) signature and appends it to the PDF, making it easy to sign and verify documents without dragging in heavyweight PDF signing stacks.
4
+
5
+
It’s designed to be a practical alternative to “traditional” PDF signing workflows: minimal setup, scriptable CLI, and it delegates cryptography to your existing `gpg-agent` (including smartcards/YubiKey).
6
+
7
+
The signed output stays minimal: the original PDF content is preserved and the signature is appended, keeping the file compliant so it still opens normally in standard PDF viewers.
8
+
9
+
## Features
10
+
11
+
***Simple CLI**: `sign` and `verify` commands that compose well in pipelines.
12
+
***Works with your existing GPG setup**: Uses `gpg-agent` and your keyring (respects `GNUPGHOME`).
13
+
***Hardware-friendly**: Private keys can stay on a smartcard/YubiKey.
14
+
***Lightweight distribution**: Single-file script you can run directly (see Quickstart).
15
+
16
+
## Security model
17
+
18
+
***No private keys in the tool**: All signing operations are performed by `gpg-agent`.
19
+
***Reduced key exposure**: Private keys never need to be loaded into this process.
20
+
***Explicit verification**: Verifies the appended signature against a provided certificate.
4
21
5
22
## Quickstart
6
23
@@ -25,12 +42,12 @@ chmod +x pdf-sign.rs
25
42
26
43
## Methodology
27
44
28
-
This tool adheres to a "No-Key-In-Memory" architecture. It acts as a bridge between the PDF file structure and the GPG Agent socket.
45
+
`pdf-sign` focuses on doing the minimum work needed to connect PDF bytes to `gpg-agent` safely:
29
46
30
47
1.**PDF Parsing**: Locates the `%%EOF` marker to identify the exact byte range for signing.
31
-
2.**Agent Delegation**: Connects directly to the `gpg-agent`Unix socket using the Assuan protocol via `sequoia-gpg-agent`.
32
-
3.**Hardware Isolation**: Private keys never leave the secure element (YubiKey/Smartcard) or the agent's protected memory. The tool only handles the public certificate stub.
33
-
4.**Standardization**: Produces an ASCII-armored detached signature packet and appends it to the PDF, ensuring compatibility with standard verification tools.
48
+
2.**Agent Delegation**: Talks to `gpg-agent`(Assuan protocol via `sequoia-gpg-agent`) to perform signing.
49
+
3.**Key Isolation**: Your private key stays in `gpg-agent` or on hardware; the tool only handles public material.
50
+
4.**Compatibility**: Produces an ASCII-armored detached signature packet and appends it to the PDF for verification.
0 commit comments