From f3cb57230fa9eb47fcc36c79f49a76cd1f214025 Mon Sep 17 00:00:00 2001 From: nopeitsnothing Date: Sat, 25 Apr 2026 17:40:12 -0400 Subject: [PATCH] Submit actual develop page Signed-off-by: nopeitsnothing --- docs/code/develop.md | 50 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 docs/code/develop.md diff --git a/docs/code/develop.md b/docs/code/develop.md new file mode 100644 index 0000000..c55a068 --- /dev/null +++ b/docs/code/develop.md @@ -0,0 +1,50 @@ +# Development + +??? Note "How the pipeline works" + + **Automatic PDF Generation:** - Builds both light and dark mode PDFs from MkDocs source + **SHA256 Hash Generation:** - Creates hash files for integrity verification + **GPG Signature Signing:** - Signs all PDFs and hash files with repository GPG key + **VirusTotal Scanning:** - Automatically scans PDFs and updates release notes + **Release Automation:** - Packages everything into GitHub releases + +## Architecture + +### Build PDF Workflow (`build-sign-release.yml`) + +!!! Note "Steps" + + - Checkout repository + - Set up Python and MkDocs Material + - Install Chromium browser + - Generate both light and dark mode PDFs with `scripts\build_guide_pdf.py` + - Create SHA256 and blake2 hash files in `export/` + - Sign all files with GPG in `export/` + - Upload artifacts to GitHub Actions **manually** + +### SHA256 Hash Verification + +!!! Note "**How it works**" + + - Each PDF gets a unique SHA256 hash calculated at build time + - Hash stored in `.sha256` files alongside the PDFs + - Combined `sha256sum.txt` for batch verification + +### GPG Signature Verification + +**Purpose:** Verify authenticity and prevent tampering + +!!! Note "How it works" + + - Detached signatures created for each PDF and hash file + - Public keys available in `/pgp/` directory + +**Verification command:** +```bash +gpg --import pgp/anonymousplanet-master.asc +gpg --verify export/thgtoa.pdf.sig export/thgtoa.pdf +``` + +--- + +*This workflow is designed for security-conscious users who need to verify the authenticity and integrity of downloaded documents.*