puck is an AppJail application that uses a very restricted, ephemeral jail to convert a potentially suspicious PDF into a trustworthy one.
This application is basically a few patches for qubes-app-linux-pdf-converter, so you are essentially using the original application; the patches are only necessary to make it work on FreeBSD. There is one subtle difference: both the client and server run inside the jail, so no dependencies need to be installed for the client to work. Just run the Makejail file as described below.
For more details, please see the article in which this concept was originally introduced:
http://blog.invisiblethings.org/2013/02/21/converting-untrusted-pdfs-into-trusted.html
# appjail makejail \
-f gh+AppJail-makejails/puck \
-o container="args:--pull" \
-- \
--puck_file /path/to/your/suspicious/file.pdf
...
# xdg-open file.trusted.pdf
...puck_from(default:ghcr.io/appjail-makejails/puck): Location of OCI image. See also OCI Configuration.puck_tag(default:latest): OCI image tag. See also OCI Configuration.puck_file(mandatory): Suspicious PDF file.puck_nostop(optional): Don't stop the jail.puck_output(default:${APPJAIL_PWD}): Output file or directory. The current directory is used by default.
PUCK_BATCH(default:50): Maximum number of conversion tasks.PUCK_COMPRESSION(default:1): Enable compression. Set this environment variable to0to disable compression.PUCK_COMPRESSION_RESOLUTION(default:72): Resolution in DPI.PUCK_COMPRESSION_WITH_GRAYSCALE(default:0): Enable grayscale conversion which can further reduce output size.PUCK_RESOLUTION(default:300): Resolution of output.
build:
variants:
- tag: 15.1
containerfile: Containerfile
aliases: ["latest"]
default: true
args:
FREEBSD_RELEASE: "15.1"
PYVER: "312"- This Makejail includes gh+AppJail-makejails/user-mapping.