@majikah/majik-signature 0.0.4 → 0.0.6

package/dist/core/embed/handlers/pdf.d.ts

@@ -1,21 +1,23 @@
 /**
- * handlers/pdf.ts — PDF handler using pdf-lib
+ * handlers/pdf.ts — PDF handler
  *
- * Embeds the MajikSignature in two places:
- *   1. PDF /Info dictionary custom key "majik-signature" (visible in File → Properties)
- *   2. XMP metadata stream (MajikSignature element in custom namespace)
+ * Embeds the MajikSignature as a binary trailer appended after the PDF's
+ * last %%EOF marker. This approach is:
+ *   - Deterministic: strip() is a pure byte slice, no parsing
+ *   - Non-destructive: the PDF remains valid and openable
+ *   - Spec-compliant: appending after %%EOF is allowed by PDF 1.7 §7.5.6
  *
- * Strip reads the original bytes from the /Info key, reconstructs a clean PDF.
- * If neither is present, the file is returned as-is (no signature found).
+ * If you want human-readable metadata visible in Adobe/Preview, call
+ * MajikSignatureClient.addDisplayMetadata() after signing — that is a
+ * separate display-only step and does not affect verification.
  */
 import { FormatHandler } from "../../types";
 export declare class PdfHandler implements FormatHandler {
     readonly name = "PDF";
     readonly supportedMimeTypes: readonly ["application/pdf"];
+    private _findMagic;
     canHandle(bytes: Uint8Array, mimeType?: string): boolean;
     embed(bytes: Uint8Array, signatureJson: string): Promise<Uint8Array>;
-    extract(bytes: Uint8Array): Promise<string | null>;
     strip(bytes: Uint8Array): Promise<Uint8Array>;
-    private _buildXMP;
-    private _extractFromXMP;
+    extract(bytes: Uint8Array): Promise<string | null>;
 }

package/dist/core/embed/handlers/pdf.js

@@ -1,19 +1,33 @@
 /**
- * handlers/pdf.ts — PDF handler using pdf-lib
+ * handlers/pdf.ts — PDF handler
  *
- * Embeds the MajikSignature in two places:
- *   1. PDF /Info dictionary custom key "majik-signature" (visible in File → Properties)
- *   2. XMP metadata stream (MajikSignature element in custom namespace)
+ * Embeds the MajikSignature as a binary trailer appended after the PDF's
+ * last %%EOF marker. This approach is:
+ *   - Deterministic: strip() is a pure byte slice, no parsing
+ *   - Non-destructive: the PDF remains valid and openable
+ *   - Spec-compliant: appending after %%EOF is allowed by PDF 1.7 §7.5.6
  *
- * Strip reads the original bytes from the /Info key, reconstructs a clean PDF.
- * If neither is present, the file is returned as-is (no signature found).
+ * If you want human-readable metadata visible in Adobe/Preview, call
+ * MajikSignatureClient.addDisplayMetadata() after signing — that is a
+ * separate display-only step and does not affect verification.
  */
-import { PDFDocument, PDFName, PDFString, PDFHexString } from "pdf-lib";
-import { MAJIK_NAMESPACE, SIGNATURE_KEY } from "../constants";
 const PDF_MAGIC = [0x25, 0x50, 0x44, 0x46]; // %PDF
+const MAGIC = new TextEncoder().encode("\n%%MajikSig%%\n");
 export class PdfHandler {
     name = "PDF";
     supportedMimeTypes = ["application/pdf"];
+    _findMagic(bytes) {
+        outer: for (let i = bytes.length - MAGIC.length; i >= 0; i--) {
+            if (bytes[i] !== MAGIC[0])
+                continue;
+            for (let j = 1; j < MAGIC.length; j++) {
+                if (bytes[i + j] !== MAGIC[j])
+                    continue outer;
+            }
+            return i;
+        }
+        return -1;
+    }
     canHandle(bytes, mimeType) {
         if (mimeType === "application/pdf")
             return true;
@@ -24,160 +38,27 @@ export class PdfHandler {
             bytes[3] === PDF_MAGIC[3]);
     }
     async embed(bytes, signatureJson) {
-        // Strip any existing signature first
         const clean = await this.strip(bytes);
-        const pdf = await PDFDocument.load(clean, { ignoreEncryption: true });
-        // ── 1. /Info dictionary ──────────────────────────────────────────────────
-        // pdf-lib exposes the info dict via getInfoDict()
-        // We set a custom key so it appears in File > Properties > Custom
-        const infoDict = pdf.context.lookup(pdf.context.trailerInfo.Info);
-        if (infoDict && "set" in infoDict) {
-            infoDict.set(PDFName.of(SIGNATURE_KEY), PDFString.of(signatureJson));
-        }
-        // Also set via built-in keywords field as a fallback visibility trick
-        // (some PDF viewers show keywords in properties)
-        try {
-            pdf.setKeywords([`${SIGNATURE_KEY}:${signatureJson}`]);
-        }
-        catch {
-            // Non-critical — ignore if keywords already set in a way we can't override
-        }
-        // ── 2. XMP metadata stream ───────────────────────────────────────────────
-        const xmp = this._buildXMP(signatureJson);
-        try {
-            pdf.setProducer("MajikSignatureEmbed/1.0");
-            // Set raw XMP via the underlying context
-            const metadataStream = pdf.context.stream(xmp, {
-                Type: "Metadata",
-                Subtype: "XML",
-            });
-            const metadataRef = pdf.context.register(metadataStream);
-            pdf.catalog.set(PDFName.of("Metadata"), metadataRef);
-        }
-        catch {
-            // XMP embed is best-effort; /Info key is the primary store
-        }
-        return pdf.save();
-    }
-    async extract(bytes) {
-        try {
-            const pdf = await PDFDocument.load(bytes, {
-                ignoreEncryption: true,
-                updateMetadata: false,
-            });
-            // ── Try /Info dictionary ──
-            const infoDict = pdf.context.lookup(pdf.context.trailerInfo.Info);
-            if (infoDict) {
-                const sigValue = infoDict.get(PDFName.of(SIGNATURE_KEY));
-                if (sigValue) {
-                    const raw = sigValue instanceof PDFHexString
-                        ? sigValue.decodeText()
-                        : sigValue.asString();
-                    if (raw)
-                        return raw;
-                }
-            }
-            // ── Try Keywords field ──
-            try {
-                const keywords = pdf.getKeywords();
-                if (keywords) {
-                    const prefix = `${SIGNATURE_KEY}:`;
-                    if (keywords.startsWith(prefix)) {
-                        return keywords.slice(prefix.length);
-                    }
-                }
-            }
-            catch {
-                /* ignore */
-            }
-            // ── Try XMP metadata stream ──
-            try {
-                const metadataRef = pdf.catalog.get(PDFName.of("Metadata"));
-                if (metadataRef) {
-                    const metadataStream = pdf.context.lookup(metadataRef);
-                    if (metadataStream) {
-                        const xmpBytes = metadataStream.getContents();
-                        const xmpStr = new TextDecoder().decode(xmpBytes);
-                        const extracted = this._extractFromXMP(xmpStr);
-                        if (extracted)
-                            return extracted;
-                    }
-                }
-            }
-            catch {
-                /* ignore */
-            }
-            return null;
-        }
-        catch {
-            return null;
-        }
+        const sigBytes = new TextEncoder().encode(signatureJson);
+        const lenBytes = new Uint8Array(4);
+        new DataView(lenBytes.buffer).setUint32(0, sigBytes.length, false);
+        const out = new Uint8Array(clean.length + MAGIC.length + sigBytes.length + lenBytes.length);
+        out.set(clean, 0);
+        out.set(MAGIC, clean.length);
+        out.set(sigBytes, clean.length + MAGIC.length);
+        out.set(lenBytes, clean.length + MAGIC.length + sigBytes.length);
+        return out;
     }
     async strip(bytes) {
-        try {
-            const pdf = await PDFDocument.load(bytes, {
-                ignoreEncryption: true,
-                updateMetadata: false,
-            });
-            const infoDict = pdf.context.lookup(pdf.context.trailerInfo.Info);
-            if (infoDict) {
-                infoDict.delete(PDFName.of(SIGNATURE_KEY));
-            }
-            // Remove signature from keywords
-            try {
-                const keywords = pdf.getKeywords();
-                if (keywords) {
-                    const prefix = `${SIGNATURE_KEY}:`;
-                    if (keywords.startsWith(prefix)) {
-                        pdf.setKeywords([]);
-                    }
-                }
-            }
-            catch {
-                /* ignore */
-            }
-            // Remove XMP metadata (regenerate clean)
-            try {
-                pdf.catalog.delete(PDFName.of("Metadata"));
-            }
-            catch {
-                /* ignore */
-            }
-            return pdf.save();
-        }
-        catch {
-            // If PDF is unreadable, return as-is
-            return bytes;
-        }
-    }
-    // ─── XMP Helpers ────────────────────────────────────────────────────────────
-    _buildXMP(signatureJson) {
-        // Escape XML entities in the JSON (rare but safe)
-        const escaped = signatureJson
-            .replace(/&/g, "&amp;")
-            .replace(/</g, "&lt;")
-            .replace(/>/g, "&gt;");
-        return `<?xpacket begin="\uFEFF" id="W5M0MpCehiHzreSzNTczkc9d"?>
-<x:xmpmeta xmlns:x="adobe:ns:meta/">
-  <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-    <rdf:Description rdf:about=""
-        xmlns:majik="${MAJIK_NAMESPACE}">
-      <majik:signature>${escaped}</majik:signature>
-    </rdf:Description>
-  </rdf:RDF>
-</x:xmpmeta>
-<?xpacket end="w"?>`;
+        const i = this._findMagic(bytes);
+        return i === -1 ? bytes : bytes.slice(0, i);
     }
-    _extractFromXMP(xmp) {
-        // Try <majik:signature>...</majik:signature>
-        const tagMatch = xmp.match(/<majik:signature>([\s\S]*?)<\/majik:signature>/);
-        if (tagMatch) {
-            return tagMatch[1]
-                .replace(/&amp;/g, "&")
-                .replace(/&lt;/g, "<")
-                .replace(/&gt;/g, ">")
-                .trim();
-        }
-        return null;
+    async extract(bytes) {
+        const i = this._findMagic(bytes);
+        if (i === -1)
+            return null;
+        const sigStart = i + MAGIC.length;
+        const sigEnd = bytes.length - 4;
+        return new TextDecoder().decode(bytes.slice(sigStart, sigEnd));
     }
 }

package/dist/core/embed/majik-embed.d.ts

@@ -71,7 +71,7 @@ export declare class MajikSignatureEmbed {
      */
     static verifyWithKey(file: Blob, key: MajikKey, MajikSig: MajikSignatureStaticAdapter, options?: ExtractOptions & {
         expectedSignerId?: string;
-    }): Promise<EmbedVerifyResult>;
+    }, debug?: boolean): Promise<EmbedVerifyResult>;
     /**
      * Return a clean copy of the file with any embedded signature removed.
      */

package/dist/core/embed/majik-embed.js

@@ -155,9 +155,9 @@ export class MajikSignatureEmbed {
      * Called from MajikSignature.verifyFile() — MajikSig passed to avoid
      * circular import.
      */
-    static async verifyWithKey(file, key, MajikSig, options) {
+    static async verifyWithKey(file, key, MajikSig, options, debug = false) {
         const publicKeys = MajikSig.publicKeysFromMajikKey(key);
-        return MajikSignatureEmbed.verify(file, publicKeys, MajikSig, options);
+        return MajikSignatureEmbed.verify(file, publicKeys, MajikSig, options, debug);
     }
     /**
      * Return a clean copy of the file with any embedded signature removed.

package/dist/majik-signature.d.ts

@@ -142,7 +142,7 @@ export declare class MajikSignature {
     static verifyFile(file: Blob, keyOrPublicKeys: MajikKey | MajikSignerPublicKeys, options?: {
         expectedSignerId?: string;
         mimeType?: string;
-    }): Promise<VerificationResult & {
+    }, debug?: boolean): Promise<VerificationResult & {
         handler?: string;
     }>;
     /**

package/dist/majik-signature.js

@@ -410,13 +410,17 @@ export class MajikSignature {
      *   const result = await MajikSignature.verifyFile(signedBlob, key);
      *   if (result.valid) console.log("Signed by", result.signerId);
      */
-    static async verifyFile(file, keyOrPublicKeys, options) {
+    static async verifyFile(file, keyOrPublicKeys, options, debug = false) {
         if (MajikSignature._isMajikKey(keyOrPublicKeys)) {
+            if (debug)
+                console.log("Verifying with MajikKey");
             return MajikSignatureEmbed.verifyWithKey(file, keyOrPublicKeys, MajikSignature, // ← adapter
-            options);
+            options, debug);
         }
+        if (debug)
+            console.log("Verifying with public keys");
         return MajikSignatureEmbed.verify(file, keyOrPublicKeys, MajikSignature, // ← adapter
-        options);
+        options, debug);
     }
     /**
      * Embed this MajikSignature instance into a file.

package/package.json

@@ -2,7 +2,7 @@
   "name": "@majikah/majik-signature",
   "type": "module",
   "description": "Majik Signature is a hybrid post-quantum content signing and verification library for the Majikah ecosystem. Built on top of Majik Key, it provides tamper-proof, forgery-resistant digital signatures for any content format — using a dual-algorithm architecture that combines classical Ed25519 with post-quantum ML-DSA-87 (FIPS-204).",
-  "version": "0.0.4",
+  "version": "0.0.6",
   "license": "Apache-2.0",
   "author": "Zelijah",
   "main": "./dist/index.js",