ci: refactoring some things and removing others

Lots of source additions here from long-standing notes over the past few
months. Squashed to make it neater than 219 commits.

- bump version to v1.2.4, Jun 2026
- expand Tor section with new "Traffic analysis and the limits of Tor" subsection
  guard node persistence, website fingerprinting, and a practical breakdown of
  when Tor is and is not sufficient
- expand hardware/firmware threat section with new subsections on firmware
  implants, USB attack hardware (O.MG Cable, Rubber Ducky), Evil Maid attacks,
  supply chain compromise, and a physical inspection checklist
- rename "Removing Metadata from Files/Documents/Pictures" section to "Metadata
  auditing"; add reference table of tools by file type; expand EXIF/XMP coverage,
  PDF metadata (font fingerprinting), and DOCX revision history with real-world
  source identification cases; restructure subsections
- add introductory paragraph to "Your Metadata" section
- add new appendix B8: operational security failure case studies with common
  threads
- add new appendix B9: post-quantum cryptography covering HNDL threat, NIST PQC
  standards, Signal's PQXDH, browser hybrid KEM, PGP limitations, VPN guidance,
  and Monero note
- add new appendix C1: stylometric analysis and writing style covering features
  measured, deployed tools, real cases (J.K. Rowling), effective and ineffective
  countermeasures including AI rewriting
- fix Dangerzone GitHub URL (firstlook -> freedomofpress)
- Remove duplicate footnote [^500]; minor wording fixes ("users" -> "people",
  passive voice tweaks, cross-reference updates)

- docs/index.md: both MSK and RSK GPG fingerprints in a collapsible tip admonition
  instead of bare text
- docs/about/index.md: convert Note admonitions to tip; reformat social media
  links into collapsible tip block
- docs/mirrors/index.md: simplify PDF download instructions to point to Releases;
- README.md: add star history chart
- mkdocs.yml: rename site to "The Hitchhiker's Guide"; update site description
  with hashtags

- sign.yml: remove commented-out workflow_run trigger and if: condition; add
  verify job that runs after sign, downloads artifacts, runs verify_pdf.py, and
  writes a full job summary with hashes; update artifact upload description; minor
  comment and whitespace cleanup
- release.yml, changelog.yml: replace decorative banner comments with single-line
  comments; fix trailing-space style in permissions block
- publish.yml: remove stale comment about nomaterial theme
- verify_pdf.py: full rewrite: replace single-hash-file lookup with flexible
  resolver that checks both bare hash files (.sha256, .b2sum) and two-column
  sumfiles (sha256sums.txt, b2sums.txt); add BLAKE2b verification alongside
  SHA-256; fix signature extension (.asc not .sig); improve CLI (--file,
  --export-dir flags; remove --all; default runs all checks); improve VirusTotal
  output with direct link; cleaner output formatting with ruled separators

.github/workflows/sign.yml

@@ -1,13 +1,9 @@
 name: 🔏 Sign PDFs
 
 # Can be triggered:
-#   1. Automatically after build.yml completes on main
-#   2. Manually, pointing at a specific build run to pull PDFs from
+# 1. Automatically after build.yml completes on main
+# 2. Manually, pointing at a specific build run to pull PDFs from
 on:
-  # workflow_run:
-  #   workflows: ["📖 Build PDFs"]
-  #   types: [completed]
-  #   branches: [main]
   workflow_dispatch:
     inputs:
       build_run_id:
@@ -15,17 +11,14 @@ on:
         required: true
         type: string
 
+# Download artifacts from other runs + commit export/ files back to the repo
 permissions:
-  actions:  read    # download artifacts from other runs
-  contents: write   # needed to commit export/ files back to the repo
+  actions:  read
+  contents: write
 
 jobs:
   sign:
     name: Hash & Sign PDFs
-    # On workflow_run, only proceed if the build actually succeeded
-    # if: >
-    #   github.event_name == 'workflow_dispatch' ||
-    #   github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     outputs:
       light_sha256: ${{ steps.hashes.outputs.light_sha256 }}
@@ -50,9 +43,7 @@ jobs:
       - name: 📋 List downloaded files
         run: ls -lh export/
 
-      # ------------------------------------------------------------------ #
-      #  Hash — extensions match export/ conventions: .sha256, .b2sum
-      # ------------------------------------------------------------------ #
+      # Hash - extensions match export/ conventions: .sha256, .b2sum
       - name: "#️⃣ Hash PDFs"
         id: hashes
         run: |
@@ -85,9 +76,7 @@ jobs:
           echo "--- BLAKE2b ---"
           cat b2sums.txt
 
-      # ------------------------------------------------------------------ #
-      #  GPG sign — detached ASCII-armor signatures use .asc extension
-      # ------------------------------------------------------------------ #
+      # GPG sign — detached ASCII-armor signatures use .asc extension
       - name: 🔑 Install GPG
         run: |
           sudo apt-get update -qq
@@ -119,9 +108,7 @@ jobs:
           sign export/sha256sums.txt
           sign export/b2sums.txt
 
-      # ------------------------------------------------------------------ #
-      #  Commit export/ back to main
-      # ------------------------------------------------------------------ #
+      # Commit export/ back to main
       - name: 📦 Checkout full repo for commit
         uses: actions/checkout@v4
         with:
@@ -143,6 +130,7 @@ jobs:
           git config --global user.name  "github-actions[bot]"
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
 
+      # If no change in git diff, do nothing
       - name: 📤 Commit and push export/ to main
         working-directory: repo
         run: |
@@ -154,9 +142,7 @@ jobs:
             git push origin main
           fi
 
-      # ------------------------------------------------------------------ #
-      #  Upload artifacts for release.yml to consume
-      # ------------------------------------------------------------------ #
+      # Upload artifacts for release.yml and verify job to consume
       - name: 📤 Upload signatures artifact
         uses: actions/upload-artifact@v4
         with:
@@ -186,3 +172,85 @@ jobs:
           if-no-files-found: warn
           retention-days: 90
           compression-level: 0
+
+  # Verify — runs after sign, surfaces results as a job summary
+  verify:
+    name: Verify hashes & signatures
+    runs-on: ubuntu-latest
+    needs: sign
+    # Always run so the summary is visible even if sign partially failed
+    if: always()
+
+    steps:
+      - name: 🛠️ Checkout scripts and public key
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            scripts/verify_pdf.py
+            pgp
+
+      - name: 📥 Download signatures artifact
+        uses: actions/download-artifact@v4
+        with:
+          name:         signatures
+          path:         export/
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 📥 Download signed PDFs artifact
+        uses: actions/download-artifact@v4
+        with:
+          name:         pdfs-signed
+          path:         export/
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 🔑 Install GPG and import public key
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y gnupg
+          gpg --import pgp/anonymousplanet-release.asc
+
+      - name: 🐍 Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: 🔍 Run verify_pdf.py
+        id: verify
+        run: |
+          # Capture output and exit code separately so we can write the
+          # summary regardless of whether verification passed or failed.
+          set +e
+          output=$(python scripts/verify_pdf.py --hashes --signatures --export-dir export 2>&1)
+          exit_code=$?
+          set -e
+
+          echo "exit_code=$exit_code" >> $GITHUB_OUTPUT
+
+          # ── Job summary ──────────────────────────────────────────────
+          {
+            if [ "$exit_code" -eq 0 ]; then
+              echo "## ✅ Verification passed"
+            else
+              echo "## ❌ Verification failed"
+            fi
+
+            echo ""
+            echo "**Run:** [\`${{ github.run_id }}\`](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})  ·  **Commit:** [\`${GITHUB_SHA::7}\`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }})  ·  **By:** \`${{ github.actor }}\`"
+            echo ""
+            echo "### Script output"
+            echo '```'
+            echo "$output"
+            echo '```'
+            echo ""
+            echo "### Hashes"
+            echo '```'
+            echo "── SHA-256 ──────────────────────────────────────────────────────"
+            cat export/sha256sums.txt 2>/dev/null || echo "(not found)"
+            echo ""
+            echo "── BLAKE2b ──────────────────────────────────────────────────────"
+            cat export/b2sums.txt 2>/dev/null || echo "(not found)"
+            echo '```'
+          } >> $GITHUB_STEP_SUMMARY
+
+          # Propagate failure so the job is marked red if verification fails
+          exit $exit_code