prokop/thgtoa
1
0
Fork 0
mirror of https://github.com/Anon-Planet/thgtoa.git synced 2026-05-07 03:54:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

docs(var): build and version

Browse Source
This commit is contained in:
nopeitsnothing
2024-07-26 21:20:51 -04:00
parent 3c0a8ca6e1
commit 8da97cfed9
217 changed files with 14985 additions and 40690 deletions
Download Patch File Download Diff File Expand all files Collapse all files
verify.md
+17 -15
View File
@@ -15,15 +15,15 @@ The Minisign signatures for each PDF and ODT files are available here:
First get the hash of your local file by following these steps for your OS:
Windows:
- From a command prompt, run ```certutil -hashfile filename.txt sha256```
- From a command prompt, run `certutil -hashfile filename.txt sha256`
- Compare the obtained hash result of your local file to the online file's published hash. They should match.
macOS:
- From a terminal, run ```shasum -a 256 /full/path/to/your/file```
- From a terminal, run `shasum -a 256 /full/path/to/your/file`
- Compare the obtained hash result of your local file to the online file's published hash. They should match.
Linux:
- From a terminal, run ```sha256sum /full/path/to/your/file```
- From a terminal, run `sha256sum /full/path/to/your/file`
- Compare the obtained hash result of your local file to the online file's published hash. They should match.
All commits and releases on this repository are cryptographically signed and verified by each collaborator (check for the "Verified" tags on commits and releases).
@@ -37,36 +37,36 @@ To verify files with GPG signatures, you should first install gpg on your system
Import the master signing key from a trusted source of the publisher using the following command from a command prompt or terminal:
```gpg --auto-key-locate nodefault,wkd --locate-keys 9EA98278639F1CD853E096CBFF94507587A6A9B9```
`gpg --auto-key-locate nodefault,wkd --locate-keys 9FA5436D0EE360985157382517ECA05F768DEDF6`
In theory this command should fetch the key from the a default pool server. If this doesn't work, you can also download/view it directly from here (in our case): <https://anonymousplanet.org/pgp/AnonymousPlanet-Master-Signing-Key_9EA98278639F1CD853E096CBFF94507587A6A9B9.asc>
In theory this command should fetch the key from the a default pool server. You should download/view it directly from the website: [here](https://anonymousplanet.org/keys/master-signing-key.asc) or from the local directory [here](keys/) in case you generated the site on your own. The old/defunct/revoked (for whatever reason) keys are [here](keys/old/).
As well as the published key on any keyserver below (search for the fingerprint ```9EA98278639F1CD853E096CBFF94507587A6A9B9```):
You may also retrieve published keys (e.g. the MSK) at any keyserver below (search for the fingerprint `9FA5436D0EE360985157382517ECA05F768DEDF6`):
- <https://pgp.mit.edu>
- <https://keys.openpgp.org>
- <https://keyserver.ubuntu.com>
You should then import it manually by issuing the following command on any OS:
```gpg --import 9EA98278639F1CD853E096CBFF94507587A6A9B9.asc```
`gpg --import 9FA5436D0EE360985157382517ECA05F768DEDF6.asc`
The master signing key allows you to verify all other project-related keys. Once you have the master signing key and are confident it's the correct key (nobody has tampered with it), mark the key as trusted by locally signing it:
```gpg --lsign-key 9EA98278639F1CD853E096CBFF94507587A6A9B9```
`gpg --lsign-key 9FA5436D0EE360985157382517ECA05F768DEDF6`
Alternatively, if you use Kleopatra, it will ask you to certify the key. Certify the key to mark it as trusted.
Once you have the master key downloaded, imported, and certified, you will obtain a copy of the release key.
```gpg --auto-key-locate nodefault,wkd --locate-keys 83A6CF9EF57AC25B5C7F5D29285E6048A12321B2``` (to import the release signing key)
`gpg --auto-key-locate nodefault,wkd --locate-keys C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2` (to import the release signing key)
<https://anonymousplanet.org/pgp/AnonymousPlanet-Release-Signing-Key_83A6CF9EF57AC25B5C7F5D29285E6048A12321B2.asc> (to download the key yourself)
<https://anonymousplanet.org/keys/release-signing-key.asc> (to download the key yourself)
If you use GPG directly, you won't need to mark the release signing key as trusted, because it's already signed by the master signing key. If you use Kleopatra, the process to import the release signing key is the same as importing the master signing key.
Finally, verify the asc signature file (links above) against the PDF file by issuing the following example command:
```gpg --verify guide.pdf.asc guide.pdf```
`gpg --verify guide.pdf.asc guide.pdf`
This should output a result showing it matches a signature created by the release signing key, and is therefore a good result.
@@ -77,15 +77,17 @@ To verify the files with Minisign:
- First, download minisign from <https://jedisct1.github.io/minisign/>.
- Download the files along with their \*.minisig signature file (these should be in the same directory).
- Download the Minisign public key available on the website and repository: [minisign.pub](minisign.pub) (again, place it in the same directory for convenience).
- Run the following command in a command prompt or terminal within the directory with both files: ```minisign -Vm guide.pdf -p minisign.pub```.
- Output should show ```Signature and comment signature verified```.
- Run the following command in a command prompt or terminal within the `export` directory:
- `minisign -Vm guide.pdf -p minisign.pub`
- Output should show `Signature and comment signature verified`.
### How to check the relative safety of files or even URLs (such as https://anonymousplanet.org) using VirusTotal:
**Note: we do not endorse VirusTotal. It should be used with extreme caution, never with any sensitive files, due to their privacy policies. Do not upload sensitive files to VirusTotal.**
The PDF and ODT files of this guide have been automatically scanned by VT, see the links below for an example but do not trust these hashes blindly. Check the hashes match and re-upload to VT if needed:
- PDF file: [[VT Scan]](https://www.virustotal.com/gui/file/7b3b90fe11fbeae31a5feb14ccb06ffcb17b0259d1ce9a837a4b46d5e62c1f17?nocache=1)
- ODT file: [[VT Scan]](https://www.virustotal.com/gui/file/f8aa13c29fff848417f358ff99f3e06a7d088fdd211550853220a9a2c013c19a?nocache=1)
- ODT file: [[VT Scan]](https://www.virustotal.com/gui/file/f8aa13c29fff848417f358ff99f3e06a7d088fdd211550853220a9a2c013c19a?nocache=1)
- URL: [[URL Scan]](https://www.virustotal.com/gui/url/a6cf53fbf790c84aee04bdaa562f753eb2b61b76bcfa6bdef896c309d8dcddaf)
### Additional manual safety checks for the PDF files:
@@ -95,7 +97,7 @@ Here are the steps:
- Install the latest version (e.g., 3.10.6 stable) of Python, download [pdfid](https://didierstevens.com/files/software/pdfid_v0_2_8.zip) and, from a command prompt or terminal, run:
```python pdfid.py file-to-check.pdf```
`python pdfid.py file-to-check.pdf`
And you should see the following entries at **0** for safety, this 0 means there is no Javascript or any action that could possibly execute malicious macros, scripts, etc. Normally this won't be necessary as most modern PDF readers won't execute those scripts anyway.