Sun Dec 14 21:03:35 PST 2025

Author: 0x77dev

.github/workflows/ci.yml

@@ -57,4 +57,38 @@ jobs:
           name: pdf-sign-${{ matrix.name }}
           path: dist/*
 
+  shell:
+    name: Dev Shell (${{ matrix.name }})
+    runs-on: ${{ matrix.runs_on }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: linux-amd64
+            runs_on: ubuntu-24.04
+          - name: linux-arm64
+            runs_on: ubuntu-24.04-arm
+          - name: macos-arm64
+            runs_on: macos-26
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v31
+        with:
+          extra_nix_config: |
+            accept-flake-config = true
+
+      - name: Cachix
+        uses: cachix/cachix-action@v16
+        with:
+          name: pdf-sign
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+          skipPush: ${{ github.event_name == 'pull_request' }}
+
+      - name: Build dev shell
+        run: |
+          nix develop --command true
 

README.md

@@ -1,9 +1,13 @@
 # pdf-sign
 
-A lightweight, modern PDF signing utility written in Rust that supports both **OpenPGP (GPG)** and **Sigstore (keyless OIDC)** signatures. It appends cryptographic signatures directly to PDFs, making it easy to sign and verify documents without heavyweight PDF signing stacks.
+A lightweight, modern PDF signing utility written in Rust that supports both **OpenPGP (GPG)** and **Sigstore (keyless OIDC)** signatures. It appends cryptographic signatures directly to PDFs, making it easy to sign and verify documents without heavyweight PDF signing stacks, making your PDFs authentic and tamper-proof.
+
+[![asciicast](https://asciinema.org/a/JXR1crpqtcbMT1DIhD3dzXFB9.svg)](https://asciinema.org/a/JXR1crpqtcbMT1DIhD3dzXFB9)
 
 ## Why pdf-sign?
 
+With `pdf-sign`, anyone can sign a PDF using their existing Google, Microsoft, or GitHub account – no cryptographic keys to generate, store, or manage. For power users and security-conscious workflows, it also supports GPG with full hardware key (YubiKey/smartcard) integration. Whether you're a huge company automating signatures, or just need to sign a contract, `pdf-sign` gets out of your way.
+
 Many "enterprise PDF signing" solutions require a full **CMS/PKCS#7** / **X.509 PKI** toolchain (certificate chains, policy constraints, CRL/OCSP revocation, time-stamping/TSAs) plus PDF-form machinery to produce **PAdES** signatures. Those stacks are powerful, but complex to configure, audit, and automate.
 
 `pdf-sign` intentionally stays minimal and scriptable:

crates/cli/src/commands.rs

@@ -117,14 +117,6 @@ pub fn verify_pdf(
       || certificate_oidc_issuer.is_some()
       || certificate_oidc_issuer_regexp.is_some();
 
-    if !has_sigstore_constraints {
-      bail!(
-        "Sigstore signatures found, but no verification policy provided.\n\
-                 Please specify --certificate-identity and --certificate-oidc-issuer\n\
-                 (or their regexp variants) to verify Sigstore signatures."
-      );
-    }
-
     let cert_identity_matcher = match (certificate_identity, certificate_identity_regexp) {
       (Some(exact), None) => Some(CertificateIdentityMatcher::Exact(exact)),
       (None, Some(re)) => Some(CertificateIdentityMatcher::Regexp(re)),
@@ -142,11 +134,23 @@ pub fn verify_pdf(
       certificate_oidc_issuer: cert_issuer_matcher,
     };
 
-    let options = SigstoreVerifyOptions { policy, offline };
-
     let rt = tokio::runtime::Runtime::new()?;
 
     for bundle_block in &sigstore_blocks {
+      // If the user didn't provide an explicit policy, use the embedded
+      // identity/issuer from the Sigstore bundle itself.
+      let options = if has_sigstore_constraints {
+        let policy = policy.clone();
+        SigstoreVerifyOptions { policy, offline }
+      } else {
+        let (id, iss) = pdf_sign_sigstore::verify::extract_identity_from_block(bundle_block)?;
+        let policy = VerifyPolicy {
+          certificate_identity: Some(CertificateIdentityMatcher::Exact(id)),
+          certificate_oidc_issuer: Some(OidcIssuerMatcher::Exact(iss)),
+        };
+        SigstoreVerifyOptions { policy, offline }
+      };
+
       let result = rt.block_on(verify_blob(pdf_data, bundle_block, &options))?;
       sigstore_verified.push(result);
     }

crates/sigstore/src/verify.rs

@@ -33,6 +33,17 @@ pub struct VerifyOptions {
   pub offline: bool,
 }
 
+/// Extract identity + issuer from the embedded Sigstore bundle block.
+///
+/// This can be used to show users what values to pass as
+/// `--certificate-identity` and `--certificate-oidc-issuer` for pinned
+/// verification.
+pub fn extract_identity_from_block(bundle_block: &SigstoreBundleBlock) -> Result<(String, String)> {
+  let bundle: sigstore::bundle::Bundle = serde_json::from_slice(&bundle_block.bundle_json)
+    .context("Failed to parse Sigstore bundle JSON")?;
+  extract_identity_from_bundle(&bundle)
+}
+
 /// Verify a Sigstore bundle block against the given data.
 ///
 /// Returns verified signature information on success.
@@ -238,10 +249,19 @@ fn extract_identity_from_bundle(bundle: &sigstore::bundle::Bundle) -> Result<(St
     .extensions
     .as_ref()
     .and_then(|exts| exts.iter().find(|ext| ext.extn_id == issuer_oid))
-    .and_then(|ext| String::from_utf8(ext.extn_value.clone().into_bytes()).ok())
+    .and_then(|ext| {
+      let s = String::from_utf8(ext.extn_value.clone().into_bytes()).ok()?;
+      Some(
+        s.trim_matches(|c: char| c.is_whitespace() || c == '\0')
+          .to_string(),
+      )
+    })
     .unwrap_or_else(|| "unknown".to_string());
 
-  Ok((cert_identity, cert_issuer))
+  Ok((
+    cert_identity.trim().to_string(),
+    cert_issuer.trim().to_string(),
+  ))
 }
 
 /// Extract display-friendly bundle info (for output).
@@ -285,10 +305,15 @@ fn extract_bundle_info(bundle: &sigstore::bundle::Bundle) -> Result<(String, Str
   let san = SubjectAltName::from_der(san_ext.extn_value.as_bytes())
     .context("Failed to parse SAN extension")?;
 
+  use x509_cert::ext::pkix::name::GeneralName;
   let cert_identity = san
     .0
-    .first()
-    .map(|name| format!("{:?}", name))
+    .iter()
+    .find_map(|name| match name {
+      GeneralName::Rfc822Name(email) => Some(email.to_string()),
+      GeneralName::UniformResourceIdentifier(uri) => Some(uri.to_string()),
+      _ => None,
+    })
     .unwrap_or_else(|| "unknown".to_string());
 
   // Extract issuer from OIDC Issuer extension (OID 1.3.6.1.4.1.57264.1.1)
@@ -303,5 +328,10 @@ fn extract_bundle_info(bundle: &sigstore::bundle::Bundle) -> Result<(String, Str
     .and_then(|ext| String::from_utf8(ext.extn_value.clone().into_bytes()).ok())
     .unwrap_or_else(|| "unknown".to_string());
 
-  Ok((cert_identity, cert_issuer))
+  Ok((
+    cert_identity.trim().to_string(),
+    cert_issuer
+      .trim_matches(|c: char| c.is_whitespace() || c == '\0')
+      .to_string(),
+  ))
 }

flake.nix

@@ -51,19 +51,26 @@
             ;
         };
 
-        packages = {
-          default = package.pdfSign;
-          pdf-sign = package.pdfSign;
-          pdf-sign-wasm =
-            (import ./nix/wasm.nix {
+        packages =
+          let
+            autocast = import ./nix/demo.nix {
               inherit pkgs craneLib;
               lib = pkgs.lib;
-            }).pdf-sign-wasm;
-        };
+            };
+          in
+          {
+            default = package.pdfSign;
+            pdf-sign = package.pdfSign;
+            inherit autocast;
+          };
 
         devShells.default = import ./nix/shell.nix {
           inherit pkgs;
           pdfSign = package.pdfSign;
+          autocast = import ./nix/demo.nix {
+            inherit pkgs craneLib;
+            lib = pkgs.lib;
+          };
           pre-commit-check = import ./nix/git-hooks.nix {
             inherit git-hooks system pkgs;
             src = ./.;

nix/demo.nix

@@ -0,0 +1,24 @@
+{
+  pkgs,
+  craneLib,
+  lib,
+}:
+let
+  autocastSrc = pkgs.fetchFromGitHub {
+    owner = "k9withabone";
+    repo = "autocast";
+    rev = "v0.1.0";
+    hash = "sha256-F8RTXcBe3eqzwR48CcU1DpqRzhMBztGIXJrJsQdjgks=";
+  };
+in
+craneLib.buildPackage {
+  pname = "autocast";
+  src = autocastSrc;
+  strictDeps = true;
+
+  meta = with lib; {
+    description = "Automate terminal demos";
+    homepage = "https://github.com/k9withabone/autocast";
+    mainProgram = "autocast";
+  };
+}

nix/shell.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   pdfSign,
+  autocast,
   pre-commit-check,
 }:
 pkgs.mkShell {
@@ -27,6 +28,10 @@ pkgs.mkShell {
       # Web development
       bun
       nodejs_24
+
+      # Demo tools
+      asciinema
+      autocast
     ]
     ++ pre-commit-check.enabledPackages;
 }

nix/wasm.nix

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# Preparation + runner for tools/autocast.yaml.
+#
+# Run this script (e.g. from fish) to generate a recording without
+# polluting the demo with setup/teardown “time segments”.
+
+set -Eeuo pipefail
+
+_pdf_sign_demo_mktemp_dir() {
+  mktemp -d 2>/dev/null || mktemp -d -t pdf-sign-demo
+}
+
+_pdf_sign_demo_cleanup() {
+  {
+    if [[ -n "${_PDF_SIGN_DEMO_DIR:-}" ]]; then
+      rm -rf "${_PDF_SIGN_DEMO_DIR}" 2>/dev/null || true
+    fi
+  } >/dev/null 2>&1 || true
+}
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+ROOT_DIR="$(cd -- "${SCRIPT_DIR}/.." && pwd)"
+
+YAML="${ROOT_DIR}/scripts/autocast.yaml"
+OUT="${1:-${ROOT_DIR}/demo.rec}"
+
+_PDF_SIGN_DEMO_DIR="$(_pdf_sign_demo_mktemp_dir)"
+
+# Isolated keychain.
+export GNUPGHOME="${_PDF_SIGN_DEMO_DIR}/gnupg"
+mkdir -p "$GNUPGHOME"
+chmod 700 "$GNUPGHOME"
+
+# Make gpg-agent happy / non-interactive.
+export GPG_TTY=/dev/null
+export LANG=C
+export TERM=xterm-256color
+
+# Start agent (best-effort).
+gpgconf --launch gpg-agent >/dev/null 2>&1 || true
+
+# Ephemeral demo key in the isolated keybox.
+gpg --batch --pinentry-mode loopback --passphrase "" \
+  --quick-generate-key "Demo <demo@example.invalid>" default default never \
+  >/dev/null 2>&1
+
+# Sample PDF.
+curl -fsSL -o "${_PDF_SIGN_DEMO_DIR}/bitcoin.pdf" https://bitcoin.org/bitcoin.pdf >/dev/null 2>&1
+
+trap _pdf_sign_demo_cleanup EXIT
+
+# Run autocast from inside the demo directory so relative filenames match.
+cd "${_PDF_SIGN_DEMO_DIR}"
+
+autocast "${YAML}" "${OUT}" -d 88ms --overwrite
+