feat: re-wire signed-section signing for the Hugo Blox build#2
Merged
Conversation
Adapts the existing htmltrust-hugo + htmltrust-sign pipeline to the new Hugo Blox layout system. The opt-in front-matter (htmltrust.sign + htmltrust.claims) and the partial-based <signed-section> wrap were already landed in 3868951; this change completes the integration. CI pipeline: - actions upgraded to current majors so the Node 20 deprecation warning goes away (checkout@v6, setup-go@v6, setup-node@v6, upload-artifact@v7, download-artifact@v8, wrangler-action@v4) - Hugo build emits <signed-section> placeholders carrying data-htmltrust-placeholder markers on every page that opts in - placeholder count is verified (expect ≥6: spec, architecture, implementation, use-cases, faq, blog/paper-published) - htmltrust-sign (installed via `go install`) rewrites the four required attributes (content-hash, signature, keyid, algorithm) using the full Unicode canonicalization spec and the Ed25519 key from HTMLTRUST_SIGNING_KEY - final verification asserts no placeholder markers remain and every signed-section has the four spec-required attributes Other: - layouts/faq/list.html: override Blox's specialized FAQ template so /faq/ also goes through the signing partial (the top-level list.html and single.html overrides already cover /spec/, /architecture/, /implementation/, /use-cases/, blog posts) - params.yaml: use did:web:jason-grey.com as keyid (DID document is hosted at jason-grey.com) while keeping www.htmltrust.org as the binding domain - content/architecture/_index.md: rephrase the literal <signed-section> strings inside mermaid sequence-diagram messages so they render as text, not as nested HTML elements that the signer would otherwise try to sign Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Completes the htmltrust-hugo + htmltrust-sign integration on the new Hugo Blox build. The opt-in front-matter and the partial-based
<signed-section>wrap were already landed in 3868951; this PR closes the loop:htmltrust-sign→ sign → verify four spec-required attributes (content-hash,signature,keyid,algorithm)/faq/to a specialized template (layouts/faq/list.html) that the previous override pair didn't cover/architecture/— the sequence-diagram messages used literal<signed-section>strings which rendered as nested HTML elements; the signer was finding 3 sections on that page. Rephrased to plain text.Signed pages (6)
/spec//architecture//implementation//use-cases//faq//blog/paper-published/Test plan
hugo --minifyemits 6 pages withdata-htmltrust-placeholdermarkershtmltrust-signrewrites them to 6 sections with all four attributes (no placeholder markers remaining)🤖 Generated with Claude Code