add workflow to documentation

.gitignore

@@ -3,3 +3,4 @@
 /kms_signer/obj
 *.exe
 /lambda_c2pasign/obj
+/.vs

README.md

@@ -16,12 +16,13 @@ openssl pkcs8 -topk8 -inform PEM -outform DER -in es256_private.key -out es256_p
 
 ## Short Introduction in running c2patool with AWS KMS
 
-1. using parameter `signer-path`, ref [^3] and [^4]
-
-[^3]: https://github.com/contentauth/c2patool?tab=readme-ov-file#signing-claim-bytes-with-your-own-signer
-
-[^4]: https://github.com/nitrat7/c2pa_sign_awslambdakms/blob/main/lambda_c2pasign/runC2PA.cs#L208)
-
-2. and application that gets claim-bytes per standard-input and returns signed bytestream via standard-output, ref [^5]
-
-[^5]: https://github.com/nitrat7/c2pa_sign_awslambdakms/blob/main/kms_signer/Program.cs#L18
+![system schema](doc/c2paSign.drawio.png)
+
+1. There's a trigger configured, that once an Object on S3 Bucket has been created in folder "s3BucketPath" (defined by env-variable, default "data"), a call to Lambda function will be initiated. (ref https://github.com/nitrat7/c2pa_sign_awslambdakms/blob/4a185dc5502490e891a8de1c4f493726f3b01be6/lambda_c2pasign/Function.cs#L35)
+2. Lambda Function will download Object to local Store 
+3. Starting Signing with given manifest-definition (ref https://github.com/nitrat7/c2pa_sign_awslambdakms/blob/4a185dc5502490e891a8de1c4f493726f3b01be6/lambda_c2pasign/runC2PA.cs#L201). 
+To be signed claim-bytes will be sent to AWS KMS  - and with stored Config with private Key on AWS KMS (ref https://github.com/nitrat7/c2pa_sign_awslambdakms/blob/main/kms_signer/Program.cs)
+Have a look using parameter `signer-path`, (ref https://github.com/nitrat7/c2pa_sign_awslambdakms/blob/main/lambda_c2pasign/runC2PA.cs#L208) and https://github.com/contentauth/c2patool?tab=readme-ov-file#signing-claim-bytes-with-your-own-signer
+The kms_signer application that gets claim-bytes per standard-input and returns signed bytestream via standard-output (https://github.com/nitrat7/c2pa_sign_awslambdakms/blob/main/kms_signer/Program.cs#L18)
+4. the signed claim bytes will be returned
+5. the signed Object will be transferred back to S3-Bucket  in folder "s3BucketPathSigned" (defined by env-variable, default "data_sign")

doc/c2paSign.drawio

@@ -0,0 +1,85 @@
+<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" version="24.8.6">
+  <diagram name="Seite-1" id="5SiG2aX4VQQCV-IAW3pS">
+    <mxGraphModel dx="907" dy="525" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-1" value="" style="sketch=0;points=[[0,0,0],[0.25,0,0],[0.5,0,0],[0.75,0,0],[1,0,0],[0,1,0],[0.25,1,0],[0.5,1,0],[0.75,1,0],[1,1,0],[0,0.25,0],[0,0.5,0],[0,0.75,0],[1,0.25,0],[1,0.5,0],[1,0.75,0]];outlineConnect=0;fontColor=#232F3E;fillColor=#7AA116;strokeColor=#ffffff;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;shape=mxgraph.aws4.resourceIcon;resIcon=mxgraph.aws4.s3;" vertex="1" parent="1">
+          <mxGeometry x="40" y="40" width="170" height="170" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-2" value="" style="edgeStyle=elbowEdgeStyle;html=1;endArrow=block;dashed=0;elbow=vertical;endFill=1;rounded=0;" edge="1" parent="1" source="xTAZMhIz0_m4H_iPqNoI-1">
+          <mxGeometry width="160" relative="1" as="geometry">
+            <mxPoint x="260" y="130" as="sourcePoint" />
+            <mxPoint x="420" y="130" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-3" value="" style="sketch=0;outlineConnect=0;fontColor=#232F3E;gradientColor=none;fillColor=#7AA116;strokeColor=none;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;fontSize=12;fontStyle=0;aspect=fixed;pointerEvents=1;shape=mxgraph.aws4.s3_object_lambda;" vertex="1" parent="1">
+          <mxGeometry x="310" y="80" width="27.18" height="40" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-4" value="" style="outlineConnect=0;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;shape=mxgraph.aws3.lambda_function;fillColor=#F58534;gradientColor=none;" vertex="1" parent="1">
+          <mxGeometry x="450" y="60" width="160.71" height="150" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-5" value="" style="shape=flexArrow;endArrow=classic;html=1;rounded=0;strokeColor=default;align=center;verticalAlign=middle;fontFamily=Helvetica;fontSize=11;fontColor=default;labelBackgroundColor=default;" edge="1" parent="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="440" y="201" as="sourcePoint" />
+            <mxPoint x="210" y="201" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-6" value="" style="shape=flexArrow;endArrow=classic;html=1;rounded=0;strokeColor=default;align=center;verticalAlign=middle;fontFamily=Helvetica;fontSize=11;fontColor=default;labelBackgroundColor=default;" edge="1" parent="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="210" y="160" as="sourcePoint" />
+            <mxPoint x="440" y="160" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-7" value="" style="outlineConnect=0;dashed=0;verticalLabelPosition=bottom;verticalAlign=top;align=center;html=1;shape=mxgraph.aws3.kms;fillColor=#759C3E;gradientColor=none;" vertex="1" parent="1">
+          <mxGeometry x="840" y="50" width="139.84" height="170" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-8" value="" style="shape=flexArrow;endArrow=classic;html=1;rounded=0;strokeColor=default;align=center;verticalAlign=middle;fontFamily=Helvetica;fontSize=11;fontColor=default;labelBackgroundColor=default;" edge="1" parent="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="840.71" y="190" as="sourcePoint" />
+            <mxPoint x="610.71" y="190" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-9" value="" style="shape=flexArrow;endArrow=classic;html=1;rounded=0;strokeColor=default;align=center;verticalAlign=middle;fontFamily=Helvetica;fontSize=11;fontColor=default;labelBackgroundColor=default;" edge="1" parent="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="610.71" y="150" as="sourcePoint" />
+            <mxPoint x="840.71" y="150" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-10" value="" style="image;aspect=fixed;perimeter=ellipsePerimeter;html=1;align=center;shadow=0;dashed=0;spacingTop=3;image=img/lib/active_directory/key.svg;" vertex="1" parent="1">
+          <mxGeometry x="880" y="80" width="67.57" height="50" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-13" value="" style="sketch=0;pointerEvents=1;shadow=0;dashed=0;html=1;strokeColor=none;labelPosition=center;verticalLabelPosition=bottom;verticalAlign=top;outlineConnect=0;align=center;shape=mxgraph.office.concepts.folder;fillColor=#7FBA42;" vertex="1" parent="1">
+          <mxGeometry x="298" y="190" width="22.22" height="20" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-14" value="" style="sketch=0;pointerEvents=1;shadow=0;dashed=0;html=1;strokeColor=none;labelPosition=center;verticalLabelPosition=bottom;verticalAlign=top;outlineConnect=0;align=center;shape=mxgraph.office.concepts.folder;fillColor=#7FBA42;" vertex="1" parent="1">
+          <mxGeometry x="331" y="150" width="22.22" height="20" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-15" value="1" style="rounded=1;fillColor=#0065FF;strokeColor=none;html=1;fontColor=#ffffff;align=center;verticalAlign=middle;whiteSpace=wrap;fontSize=18;fontStyle=1;arcSize=50;sketch=0;" vertex="1" parent="1">
+          <mxGeometry x="270" y="70" width="40" height="25" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-16" value="2" style="rounded=1;fillColor=#0065FF;strokeColor=none;html=1;fontColor=#ffffff;align=center;verticalAlign=middle;whiteSpace=wrap;fontSize=18;fontStyle=1;arcSize=50;sketch=0;" vertex="1" parent="1">
+          <mxGeometry x="360" y="147" width="40" height="25" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-19" value="5" style="rounded=1;fillColor=#0065FF;strokeColor=none;html=1;fontColor=#ffffff;align=center;verticalAlign=middle;whiteSpace=wrap;fontSize=18;fontStyle=1;arcSize=50;sketch=0;" vertex="1" parent="1">
+          <mxGeometry x="247" y="190" width="40" height="25" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-21" value="S3 Bucket" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" vertex="1" parent="1">
+          <mxGeometry x="40" y="208" width="80" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-22" value="KMS-Store" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" vertex="1" parent="1">
+          <mxGeometry x="840" y="220" width="80" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-23" value="C2PA-Signing Lambda Function" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" vertex="1" parent="1">
+          <mxGeometry x="436.36" y="210" width="190" height="30" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-24" value="3" style="rounded=1;fillColor=#0065FF;strokeColor=none;html=1;fontColor=#ffffff;align=center;verticalAlign=middle;whiteSpace=wrap;fontSize=18;fontStyle=1;arcSize=50;sketch=0;" vertex="1" parent="1">
+          <mxGeometry x="760" y="138.5" width="40" height="25" as="geometry" />
+        </mxCell>
+        <mxCell id="xTAZMhIz0_m4H_iPqNoI-25" value="4" style="rounded=1;fillColor=#0065FF;strokeColor=none;html=1;fontColor=#ffffff;align=center;verticalAlign=middle;whiteSpace=wrap;fontSize=18;fontStyle=1;arcSize=50;sketch=0;" vertex="1" parent="1">
+          <mxGeometry x="648" y="177.5" width="40" height="25" as="geometry" />
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>

doc/fixme_template.yaml

@@ -0,0 +1,64 @@
+Transform: AWS::Serverless-2016-10-31
+Resources:
+  FunctionC2PASign:
+    Type: AWS::Serverless::Function
+    Properties:
+      Description: !Sub
+        - Stack ${AWS::StackName} Function ${ResourceName}
+        - ResourceName: FunctionC2PASign
+      CodeUri: lambda_c2pasign/
+      Handler: lambda_c2pasign::c2panalyze2.Function::FunctionHandlerSign
+      Runtime: dotnet8
+      MemorySize: 3008
+      Timeout: 600
+      Tracing: Active
+      Events:
+        BucketC2PASign:
+          Type: S3
+          Properties:
+            Bucket: !Ref BucketC2PASign
+            Events:
+              - s3:ObjectCreated:*
+  FunctionC2PASignLogGroup:
+    Type: AWS::Logs::LogGroup
+    DeletionPolicy: Retain
+    Properties:
+      LogGroupName: !Sub /aws/lambda/${FunctionC2PASign}
+  BucketC2PASign:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub ${AWS::StackName}-bucketc2p-${AWS::AccountId}
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: aws:kms
+              KMSMasterKeyID: alias/aws/s3
+      PublicAccessBlockConfiguration:
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+  BucketC2PASignBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref BucketC2PASign
+      PolicyDocument:
+        Id: RequireEncryptionInTransit
+        Version: '2012-10-17'
+        Statement:
+          - Principal: '*'
+            Action: '*'
+            Effect: Deny
+            Resource:
+              - !GetAtt BucketC2PASign.Arn
+              - !Sub ${BucketC2PASign.Arn}/*
+            Condition:
+              Bool:
+                aws:SecureTransport: 'false'
+  RolePolicy:
+    Type: AWS::IAM::RolePolicy
+    Properties:
+      RoleName: <String>
+      PolicyName: <String>
+  Role:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument: <Json>