diff --git a/.github/workflows/build-sign-release.yml b/.github/workflows/build-sign-release.yml index 664f24a..3ac3253 100644 --- a/.github/workflows/build-sign-release.yml +++ b/.github/workflows/build-sign-release.yml @@ -57,9 +57,16 @@ jobs: env: CI: true run: python scripts/build_guide_pdf.py --${{ inputs.build_mode || 'both' }} - + - name: 🛡️ Sign PDFs + env: + GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} run: | + cd ${{ github.workspace }} + # Import GPG key + export GPG_TTY=$(tty) + echo "$GPG_KEY" | gpg --batch --import 2>/dev/null || true chmod +x scripts/sign-pdfs.sh ./scripts/sign-pdfs.sh diff --git a/docs/changelog/index.md b/docs/changelog/index.md index 701683c..59bb44c 100644 --- a/docs/changelog/index.md +++ b/docs/changelog/index.md @@ -28,7 +28,7 @@ All notable changes to this project will be documented in this file. ### Changed - Refactored GitHub Actions workflow **Build PDF** (`scripts\build_guide_pdf.py`): now builds both light and dark mode PDFs (`export/thgtoa.pdf` and `export/thgtoa-dark.pdf` respectively). -- Restored previous VT scans +- Restored previous VT scans ## Fixed @@ -65,4 +65,4 @@ All notable changes to this project will be documented in this file. [1.2.1]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.1 ***The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),*** -***and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).*** \ No newline at end of file +***and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).*** diff --git a/docs/guide/dev-workflow.md b/docs/guide/dev-workflow.md index 4ef37e9..f468c68 100644 --- a/docs/guide/dev-workflow.md +++ b/docs/guide/dev-workflow.md @@ -2,11 +2,11 @@ ??? Note "How the pipeline works" - **Automatic PDF Generation:** - Builds both light and dark mode PDFs from MkDocs source - **SHA256 Hash Generation:** - Creates hash files for integrity verification - **GPG Signature Signing:** - Signs all PDFs and hash files with repository GPG key - **VirusTotal Scanning:** - Automatically scans PDFs and updates release notes - **Release Automation:** - Packages everything into GitHub releases + **Automatic PDF Generation:** - Builds both light and dark mode PDFs from MkDocs source + **SHA256 Hash Generation:** - Creates hash files for integrity verification + **GPG Signature Signing:** - Signs all PDFs and hash files with repository GPG key + **VirusTotal Scanning:** - Automatically scans PDFs and updates release notes + **Release Automation:** - Packages everything into GitHub releases ## Workflow Architecture @@ -26,9 +26,9 @@ !!! Note "**How it works**" - - Each PDF gets a unique SHA256 hash calculated at build time - - Hash stored in `.sha256` files alongside the PDFs - - Combined `sha256sum.txt` for batch verification + - Each PDF gets a unique SHA256 hash calculated at build time + - Hash stored in `.sha256` files alongside the PDFs + - Combined `sha256sum.txt` for batch verification ### GPG Signature Verification **Purpose:** Verify authenticity and prevent tampering diff --git a/docs/index.md b/docs/index.md index 17495b0..f30de15 100644 --- a/docs/index.md +++ b/docs/index.md @@ -17,13 +17,13 @@ schema: # **Hello, and welcome to the Hitchhiker's Guide.** **9FA5 436D 0EE3 6098 5157 3825 17EC A05F 768D EDF6** - -You'll use it to [**verify the checksum** and **GPG signature** of all files for authenticity.](verify/index.md) -Please share this project if you enjoy it and you think it might be useful to others. + +You'll use it to [**verify the checksum** and **GPG signature** of all files for authenticity.](verify/index.md) +Please share this project if you enjoy it and you think it might be useful to others. ![Anonymous Planet logo](media/profile.png){ align=right } -Anonymous Planet is a collective of volunteers. +Anonymous Planet is a collective of volunteers. ??? person "Das Kolburn" diff --git a/docs/verify/index.md b/docs/verify/index.md index 9922442..17b2aa5 100644 --- a/docs/verify/index.md +++ b/docs/verify/index.md @@ -117,9 +117,9 @@ The GitHub Actions workflows automatically: ## Key Information -**Signing Key:** Anonymous Planet Master Signing Key ("MSK") -**Key ID:** See `pgp/anonymousplanet-master.asc` for details -**Fingerprint:** Verify from the repository's official documentation +**Signing Key:** Anonymous Planet Master Signing Key ("MSK") +**Key ID:** See `pgp/anonymousplanet-master.asc` for details +**Fingerprint:** Verify from the repository's official documentation --- diff --git a/scripts/sign-pdfs.sh b/scripts/sign-pdfs.sh index 05b6aa3..cbdfd93 100644 --- a/scripts/sign-pdfs.sh +++ b/scripts/sign-pdfs.sh @@ -34,19 +34,19 @@ print_error() { # Check if required tools are available check_dependencies() { print_info "Checking dependencies..." - + for cmd in sha256sum b2sum gpg; do if ! command -v "$cmd" &> /dev/null; then print_error "$cmd is not installed. Please install it and try again." exit 1 fi done - + # Check GPG key availability if [ -z "$GPG_KEY_ID" ]; then GPG_KEY_ID="${SIGN_PDF_GPG_KEY:-}" fi - + if [ -n "$GPG_KEY_ID" ]; then if ! gpg --list-keys "$GPG_KEY_ID" &> /dev/null; then print_error "GPG key '$GPG_KEY_ID' not found in your keyring." @@ -56,7 +56,7 @@ check_dependencies() { # List available keys and prompt user print_warn "No GPG key ID specified. Listing available secret keys:" gpg --list-secret-keys --keyid-format LONG - + read -p "Enter the GPG key ID to use for signing (or press Enter to skip): " GPG_KEY_ID if [ -n "$GPG_KEY_ID" ]; then if ! gpg --list-keys "$GPG_KEY_ID" &> /dev/null; then @@ -67,22 +67,22 @@ check_dependencies() { print_warn "No GPG signing will be performed. Set SIGN_PDF_GPG_KEY environment variable or pass key ID as argument." fi fi - + print_info "All dependencies checked successfully!" } # Create output directories setup_directories() { print_info "Setting up directories..." - + if [ ! -d "$INPUT_DIR" ]; then print_error "Input directory '$INPUT_DIR' does not exist." exit 1 fi - + mkdir -p "$OUTPUT_DIR" mkdir -p "$CHECKSUMS_DIR" - + print_info "Input directory: $INPUT_DIR" print_info "Output directory: $OUTPUT_DIR" print_info "Checksums directory: $CHECKSUMS_DIR" @@ -93,7 +93,7 @@ generate_sha256() { local file="$1" local filename=$(basename "$file") local output_file="${CHECKSUMS_DIR}/${filename}.sha256" - + sha256sum "$file" > "$output_file" print_info "SHA256 checksum generated: $output_file" } @@ -103,7 +103,7 @@ generate_b2sum() { local file="$1" local filename=$(basename "$file") local output_file="${CHECKSUMS_DIR}/${filename}.b2sum" - + b2sum "$file" > "$output_file" print_info "B2SUM checksum generated: $output_file" } @@ -112,16 +112,16 @@ generate_b2sum() { gpg_sign() { local file="$1" local filename=$(basename "$file") - + if [ -z "$GPG_KEY_ID" ]; then print_warn "Skipping GPG signing for '$filename' (no key ID provided)" return 0 fi - + # Sign the file in detached mode with ASCII armor gpg --batch --yes --detach-sign --armor --local-user "$GPG_KEY_ID" \ --output "${file}.sig" "$file" - + print_info "GPG signature generated: ${file}.sig" } @@ -129,13 +129,13 @@ gpg_sign() { process_pdf() { local pdf_file="$1" local filename=$(basename "$pdf_file") - + print_info "Processing: $filename" - + # Generate checksums generate_sha256 "$pdf_file" generate_b2sum "$pdf_file" - + # GPG sign if key is available gpg_sign "$pdf_file" } @@ -145,28 +145,28 @@ main() { echo "" check_dependencies setup_directories - + # Find all PDF files in input directory (recursively) pdf_files=($(find "$INPUT_DIR" -type f -name "*.pdf")) - + if [ ${#pdf_files[@]} -eq 0 ]; then print_error "No PDF files found in '$INPUT_DIR'" exit 1 fi - + print_info "Found ${#pdf_files[@]} PDF file(s) to process" - + # Process each PDF file for pdf_file in "${pdf_files[@]}"; do process_pdf "$pdf_file" done - + print_info "==========================================" print_info "Processing Complete!" print_info "==========================================" print_info "Checksums saved to: $CHECKSUMS_DIR" print_info "Signed files and signatures in: $(dirname "$INPUT_DIR")" - + # Display summary of checksums print_info "SHA256 Checksums:" cat "${CHECKSUMS_DIR}"/*.sha256 2>/dev/null || true