refactor: decompose flake and improve code quality

Flake structure:
- Split flake.nix into modular nix/{package,checks,shell,git-hooks}.nix
- Use rec attrset in package.nix to avoid let overuse
- Extract e2e test to scripts/e2e.sh with optional $out handling

Git hooks:
- Add git-hooks.nix integration with pre-commit checks
- Enable nixfmt, shellcheck, rustfmt, and clippy hooks
- Auto-install hooks in devShell via shellHook

CI and tooling:
- Update GitHub Actions workflow matrix configuration
- Add rustfmt.toml configuration file
- Ignore auto-generated .pre-commit-config.yaml

Code improvements:
- Improve error handling in keybox.rs with better fallback logic
- Add CRLF line ending preservation in PDF signature extraction
- Add tests for signature extraction with different line endings
- Improve default output path handling in sign.rs
- Remove unused fields from JSON output
- Clean up trailing whitespace and formatting
- Use ExitCode instead of Result<()> in main

Author: 0x77dev

.github/workflows/ci.yml

@@ -4,16 +4,22 @@ on:
   push:
     branches: [main]
   pull_request:
-    types: [ready_for_review]
+    types: [opened, synchronize, reopened, ready_for_review]
 
 jobs:
   build:
-    name: Build (${{ matrix.os }})
-    runs-on: ${{ matrix.os }}
+    name: Build (${{ matrix.name }})
+    runs-on: ${{ matrix.runs_on }}
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
+        include:
+          - name: linux-amd64
+            runs_on: ubuntu-24.04
+          - name: linux-arm64
+            runs_on: ubuntu-24.04-arm
+          - name: macos-arm64
+            runs_on: macos-26
 
     steps:
       - name: Checkout
@@ -48,7 +54,7 @@ jobs:
       - name: Upload artifact
         uses: actions/upload-artifact@v4
         with:
-          name: pdf-sign-${{ runner.os }}-${{ matrix.os }}
+          name: pdf-sign-${{ matrix.name }}
           path: dist/*
 
 

.gitignore

@@ -3,3 +3,4 @@ target
 result
 result-*
 .direnv/
+/.pre-commit-config.yaml

flake.lock

@@ -14,101 +14,56 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     flake-utils.url = "github:numtide/flake-utils";
     crane.url = "github:ipetkov/crane";
+    git-hooks.url = "github:cachix/git-hooks.nix";
   };
 
-  outputs = { self, nixpkgs, flake-utils, crane, ... }:
-    flake-utils.lib.eachDefaultSystem (system:
+  outputs =
+    {
+      self,
+      nixpkgs,
+      flake-utils,
+      crane,
+      git-hooks,
+      ...
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
       let
         pkgs = import nixpkgs {
           inherit system;
         };
 
         craneLib = crane.mkLib pkgs;
-        lib = pkgs.lib;
 
-        commonArgs = {
-          src = craneLib.cleanCargoSource ./.;
-          strictDeps = true;
-
-          nativeBuildInputs = with pkgs; [
-            pkg-config
-            capnproto
-          ];
-        };
-
-        cargoArtifacts = craneLib.buildDepsOnly commonArgs;
-
-        meta = with lib; {
-          description = "Lightweight PDF signing tool that appends detached OpenPGP signatures (delegates signing to gpg-agent)";
-          homepage = "https://github.com/0x77dev/pdf-sign";
-          license = licenses.gpl3Only;
-          mainProgram = "pdf-sign";
-          platforms = platforms.unix;
+        package = import ./nix/package.nix {
+          inherit pkgs craneLib;
+          lib = pkgs.lib;
         };
-
-        pdfSign = craneLib.buildPackage (commonArgs // {
-          inherit cargoArtifacts;
-          meta = meta;
-        });
       in
       {
-        checks = {
-          pdf-sign-e2e = pkgs.runCommand "pdf-sign-e2e" {
-            nativeBuildInputs = with pkgs; [ gnupg ];
-          } ''
-            set -euo pipefail
-
-            export GNUPGHOME="$(mktemp -d)"
-            chmod 700 "$GNUPGHOME"
-
-            # Non-interactive agent defaults: sequoia-gpg-agent sends OPTION values,
-            # keep them non-empty even in CI.
-            export GPG_TTY=/dev/null
-            export LANG=C
-
-            gpgconf --launch gpg-agent
-
-            gpg --batch --pinentry-mode loopback --passphrase "" \
-              --quick-generate-key "CI Test <ci@example.invalid>" default default never
-
-            gpg --batch --armor --export "ci@example.invalid" > cert.asc
-
-            cat > input.pdf <<'EOF'
-%PDF-1.1
-1 0 obj
-<<>>
-endobj
-trailer
-<<>>
-%%EOF
-EOF
-
-            signed="$(${pdfSign}/bin/pdf-sign sign input.pdf --key cert.asc)"
-            ${pdfSign}/bin/pdf-sign verify "$signed" --cert cert.asc | grep -x OK >/dev/null
+        checks = import ./nix/checks.nix {
+          inherit
+            pkgs
+            craneLib
+            package
+            git-hooks
+            system
+            ;
+        };
 
-            touch "$out"
-          '';
+        packages = {
+          default = package.pdfSign;
+          pdf-sign = package.pdfSign;
         };
 
-        packages =
-          {
-            default = pdfSign;
-            pdf-sign = pdfSign;
+        devShells.default = import ./nix/shell.nix {
+          inherit pkgs;
+          pdfSign = package.pdfSign;
+          pre-commit-check = import ./nix/git-hooks.nix {
+            inherit git-hooks system pkgs;
+            src = ./.;
           };
-
-        devShells.default = pkgs.mkShell {
-          inputsFrom = [ pdfSign ];
-          packages = with pkgs; [
-            rustc
-            cargo
-            rustfmt
-            clippy
-            pkg-config
-            capnproto
-          ];
         };
       }
     );
 }
-
-

flake.nix

@@ -0,0 +1,30 @@
+{
+  pkgs,
+  craneLib,
+  package,
+  git-hooks,
+  system,
+}:
+{
+  pre-commit-check = import ./git-hooks.nix {
+    inherit git-hooks system pkgs;
+    src = ../.;
+  };
+
+  cargo-test = craneLib.cargoTest (
+    package.commonArgs
+    // {
+      cargoArtifacts = package.cargoArtifacts;
+    }
+  );
+
+  pdf-sign-e2e =
+    pkgs.runCommand "pdf-sign-e2e"
+      {
+        nativeBuildInputs = with pkgs; [ gnupg ];
+      }
+      ''
+        export PDF_SIGN="${package.pdfSign}/bin/pdf-sign"
+        ${builtins.readFile ../scripts/e2e.sh}
+      '';
+}

nix/checks.nix

@@ -0,0 +1,16 @@
+{
+  git-hooks,
+  system,
+  pkgs,
+  src ? ../.,
+}:
+
+git-hooks.lib.${system}.run {
+  inherit src;
+
+  hooks = {
+    nixfmt.enable = true;
+    shellcheck.enable = true;
+    rustfmt.enable = true;
+  };
+}

nix/git-hooks.nix

@@ -0,0 +1,32 @@
+{
+  pkgs,
+  craneLib,
+  lib,
+}:
+rec {
+  commonArgs = {
+    src = craneLib.cleanCargoSource ../.;
+    strictDeps = true;
+
+    nativeBuildInputs = with pkgs; [
+      pkg-config
+      capnproto
+    ];
+  };
+
+  cargoArtifacts = craneLib.buildDepsOnly commonArgs;
+
+  pdfSign = craneLib.buildPackage (
+    commonArgs
+    // {
+      inherit cargoArtifacts;
+      meta = with lib; {
+        description = "Lightweight PDF signing tool that appends detached OpenPGP signatures (delegates signing to gpg-agent)";
+        homepage = "https://github.com/0x77dev/pdf-sign";
+        license = licenses.gpl3Only;
+        mainProgram = "pdf-sign";
+        platforms = platforms.unix;
+      };
+    }
+  );
+}

nix/package.nix

@@ -0,0 +1,22 @@
+{
+  pkgs,
+  pdfSign,
+  pre-commit-check,
+}:
+pkgs.mkShell {
+  inputsFrom = [ pdfSign ];
+
+  shellHook = pre-commit-check.shellHook;
+
+  packages =
+    with pkgs;
+    [
+      rustc
+      cargo
+      rustfmt
+      clippy
+      pkg-config
+      capnproto
+    ]
+    ++ pre-commit-check.enabledPackages;
+}