chore(export): update PDFs, hashes and signatures [skip ci]

2026-06-21 04:58:04 +02:00 · 2026-05-30 14:28:33 +00:00 · 2026-05-30 14:17:05 +00:00 · 2026-05-30 13:59:24 +00:00 · 2026-05-30 13:50:18 +00:00
27 changed files with 11645 additions and 11694 deletions
@@ -0,0 +1,25 @@
+name: 🗑️ DEPRECATED — Build & Sign & Release (combined)
+
+# DEPRECATED — replaced by build.yml, sign.yml, and release.yml
+# This workflow is disabled. It is kept only as a reference until the
+# split workflows have been confirmed stable in production.
+# Do not trigger this workflow.
+
+on:
+  workflow_dispatch:
+    inputs:
+      _disabled:
+        description: 'This workflow is deprecated. Use build.yml → sign.yml → release.yml instead.'
+        required: false
+        type: string
+
+jobs:
+  noop:
+    name: Deprecated — no-op
+    runs-on: ubuntu-latest
+    steps:
+      - name: ❌ Workflow is deprecated
+        run: |
+          echo "This workflow is deprecated."
+          echo "Use build.yml → sign.yml → release.yml instead."
+          exit 1
@@ -1,7 +1,7 @@
-# 1. Push to main → 01-build.yml runs automatically → note the run ID
-# 2. Manually trigger 02-sign.yml with that build run ID → note the sign run ID
-# 3. Manually trigger 03-release.yml with: version=v1.2.5, sign_run_id=<id>
-# 4. Manually trigger 04-changelog.yml with: version=v1.2.5
+# 1. Push to main → build.yml runs automatically → note the run ID
+# 2. Manually trigger sign.yml with that build run ID → note the sign run ID
+# 3. Manually trigger release.yml with: version=v1.2.5, sign_run_id=<id>
+# 4. Manually trigger changelog.yml with: version=v1.2.5

 name: 📖 Build PDFs

@@ -24,7 +24,7 @@ on:
      - "docs/**"
      - "mkdocs.yml"
      - "scripts/**"
-      - ".github/workflows/01-build.yml"
+      - ".github/workflows/build.yml"

 permissions:
  contents: read
@@ -1,13 +1,14 @@
 name: 🚀 Release

 # Manual only — run this deliberately after build and sign are confirmed good.
-# Provide the 02-sign.yml run ID to pull artifacts from. The release tag is
-# automatically passed to the tag input. Exports "inputs.version" to $TAG.
+# Provide the sign.yml run ID to pull artifacts from. The release tag is
+# generated automatically as release-YYYYMMDD-<short-sha> — no version input
+# needed, no semver drift possible.
 on:
  workflow_dispatch:
    inputs:
      sign_run_id:
-        description: '02-sign.yml run ID to pull signatures and PDFs from'
+        description: 'sign.yml run ID to pull signatures and PDFs from'
        required: true
        type: string
      prerelease:
@@ -15,10 +16,6 @@ on:
        required: false
        default: false
        type: boolean
-      version:
-        description: 'Version string to record (e.g. v1.2.4) — required'
-        required: true
-        type: string

 permissions:
  contents: write # create releases and tags
@@ -98,7 +95,7 @@ jobs:
        run: |
          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
          DATE=$(date -u +'%Y%m%d')
-          TAG="${{ inputs.version }}"
+          TAG="release-${DATE}-${SHORT_SHA}"
          NAME="Release ${DATE} (${SHORT_SHA})"
          echo "tag=$TAG"   >> $GITHUB_OUTPUT
          echo "name=$NAME" >> $GITHUB_OUTPUT
@@ -111,12 +108,12 @@ jobs:
          tag_name:   ${{ steps.tag.outputs.tag }}
          name:       ${{ steps.tag.outputs.name }}
          prerelease: ${{ inputs.prerelease || false }}
-          draft:      true
+          draft:      false
          fail_on_unmatched_files: false
          body: |
            ## 📖 The Hitchhiker's Guide to Online Anonymity

-            Built from [`${{ inputs.version }}`](${{ github.server_url }}/${{ github.repository }}/releases/tag/${{ inputs.version }}).
+            Built from [`${{ github.sha }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}) on `${{ github.ref_name }}`.

            ---

@@ -142,7 +142,7 @@ jobs:
            git push origin main
          fi

-      # Upload artifacts for 03-release.yml and verify job to consume
+      # Upload artifacts for release.yml and verify job to consume
      - name: 📤 Upload signatures artifact
        uses: actions/upload-artifact@v4
        with:
@@ -1 +1 @@
-www.anonymousplanet.org
+anonymousplanet.org
@@ -57,16 +57,16 @@ To contact me, see the updated information on the website or send an e-mail to <

 **Please consider [donating](../guide/index.md#donations) if you enjoy the project and want to support the hosting fees or support the funding of initiatives like the hosting of Tor Exit Nodes.**

-???+ example "Recommended Reading"
+### Recommended Reading

-    Some of those resources may, in order to sustain their project, contain or propose:
+Some of those resources may, in order to sustain their project, contain or propose:

-    - Sponsored commercial content
-    - Monetized content through third party platforms (such as YouTube)
-    - Affiliate links to commercial services
-    - Paid Services such as consultancy
-    - Premium content such as ad-free content or updated content
-    - Merchandising
+- Sponsored commercial content
+- Monetized content through third party platforms (such as YouTube)
+- Affiliate links to commercial services
+- Paid Services such as consultancy
+- Premium content such as ad-free content or updated content
+- Merchandising

 _Note that these websites could contain affiliate/sponsored content and/or merchandising. This guide does not endorse and is not sponsored by any commercial entity in any way._

@@ -74,7 +74,7 @@ If you skipped those, you should really still consider viewing this YouTube play

 _Anonymous Planet_ **does not** participate in any sponsoring, endorsement, advertising, or other affiliate programs for any entity. We only rely on anonymous donations in a closed, transparent loop system.

-??? tip "Privacy related"
+??? Note "Privacy related"

    - AnarSec: <https://www.anarsec.guide/>
    - EFF Surveillance Self-Defense: <https://ssd.eff.org/>
@@ -84,14 +84,14 @@ _Anonymous Planet_ **does not** participate in any sponsoring, endorsement, adve
    - The New Oil: <https://thenewoil.org>
    - PrivacyTools.io: <https://privacytools.io>

-??? tip "Blogs and personal websites"
+??? Note "Blogs and personal websites"

    - CIA Officer's Blog: <https://officercia.mirror.xyz/>
    - Continuing Ed: <https://edwardsnowden.substack.com/>
    - Madaidan's Insecurities: <https://madaidans-insecurities.github.io/>
    - Seirdy's Home: <https://seirdy.one/>

-??? tip "Useful resources"
+??? Note "Useful resources"

    - KYC? Not me: <https://kycnot.me/>
    - Library Genesis: <https://en.wikipedia.org/wiki/Library_Genesis> <sup>[[Wikiless]](https://wikiless.com/wiki/Library_Genesis)</sup> (see their latest known URL in the Wikipedia article)
@@ -100,7 +100,7 @@ _Anonymous Planet_ **does not** participate in any sponsoring, endorsement, adve
    - Terms of Service, Didn't Read: <https://tosdr.org>
    - Whonix Documentation: <https://www.whonix.org/wiki/Documentation>

-??? note "We are not affiliated with Anonymous or Riseup"
+??? Note "We are not affiliated with Anonymous or Riseup"

    One or two of our community members uses or has used the resources of Riseup. We are not affiliated with Riseup in any manner.

@@ -20,28 +20,6 @@ Notable changes to the guide and its tooling. Follows [Keep a Changelog](https:/

 ---

-## [v1.2.4]
-
-!!! Note "Meta"
-
-    - Rename workflows (GH - now we can know the order)
-
-!!! Note "Changed"
-
-    - Change the repo URL for our tor mirror
-    - Fix recommended reading admonition
-    - Refactoring some things and removing others
-    - More meta changes to the pipeline
-    - Rewrite developer guide for current pipeline
-
-!!! Note "Fixed"
-
-    - Fix an inline reference
-    - Use the Anonymous Planet RSK for releases (we used the MSK for testing)
-    - Prevent history dump and filter noise commits
-    - Actually save per-page PDFs for qpdf, not PNGs
-    - Fail fast with helpful message if pdftoppm or qpdf missing
-
 ## [v1.2.3]

 CI/CD pipeline split into independent stages, dark PDF quality improved, release signing automated, and the changelog now updates itself on every build. Skipping v1.2.2 which was a placeholder and contained broken Python unsuitable for a tag/release.
@@ -50,17 +28,17 @@ CI/CD pipeline split into independent stages, dark PDF quality improved, release

    - **Dark mode PDF** (`scripts/convert.py`): pixel-level converter replaces the broken `--prefers-color-scheme=dark` Chromium flag. Produces a 200 DPI hacker-themed PDF (`#1f1f31` background, `#e0e0e0` text, `#5e8bde` links) with batched page processing to avoid OOM on large documents.
    - **Three independent CI workflows** replacing the old monolithic `build-sign-release.yml`:
-        - `01-build.yml`: builds PDFs and uploads them as an artifact; no secrets required, can be re-run freely.
-        - `02-sign.yml`: downloads the PDF artifact, computes SHA-256 and BLAKE2b hashes, GPG-signs all outputs, and uploads a `signatures` artifact. Can be re-run against any historical build.
-        - `03-release.yml`: downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. Can be triggered manually against any previous sign run.
+        - `build.yml`: builds PDFs and uploads them as an artifact; no secrets required, can be re-run freely.
+        - `sign.yml`: downloads the PDF artifact, computes SHA-256 and BLAKE2b hashes, GPG-signs all outputs, and uploads a `signatures` artifact. Can be re-run against any historical build.
+        - `release.yml`: downloads both artifacts, uploads to VirusTotal, and publishes a tagged GitHub Release with all 12 assets attached. Can be triggered manually against any previous sign run.
    - **`scripts/update_changelog.py`**: reads `git log` since the last version tag, categorises commits by conventional-commit prefix, and prepends a new entry to this file automatically after each successful build.
-    - **`04-changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for safe local testing.
+    - **`changelog.yml`** workflow: commits the auto-generated changelog entry back to `main` after every build, with `dry_run` and `manual_version` dispatch inputs for safe local testing.
    - **`scripts/tag_release.py`**: interactive guided helper for maintainers to create GPG-signed annotated tags. Checks clean tree and branch, auto-increments the version, pulls the message from the changelog, resolves the release signing key, creates and verifies the tag, then prints the push command.
    - **`docs/code/develop.md`**: full developer reference covering prerequisites, local build instructions, the pipeline flow, all required GitHub Secrets, the release process, verification steps, and a troubleshooting section for every known CI failure mode.

 !!! warning "Changed"

-    - `build-sign-release.yml` deprecated (now removed) - push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete.
+    - `build-sign-release.yml` deprecated - push triggers removed, manual dispatch only. Will be deleted once in-flight runs complete.
    - The full pipeline (build → sign → release → changelog) now chains automatically via `workflow_run` on every push to `main`.
    - GPG signing uses `--pinentry-mode loopback` and `--passphrase-fd 0` to avoid interactive prompts on headless runners.
    - VirusTotal scans moved to the release stage so they run once per release, not once per build.
@@ -101,6 +79,5 @@ First automated PDF build and the start of the CI pipeline.

 ---

-[v1.2.4]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.4
 [v1.2.3]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.3
 [v1.2.1]: https://github.com/Anon-Planet/thgtoa/releases/tag/v1.2.1
@@ -52,25 +52,26 @@ You also need **Google Chrome** or **Microsoft Edge** installed for the light-mo
 ```
 .github/
  workflows/
-    01-build.yml      # builds PDFs, uploads artifact
-    02-sign.yml       # hashes + GPG signs, uploads signatures artifact
-    03-release.yml    # publishes GitHub Release with all assets
-    04-changelog.yml  # prepends a new entry to docs/changelog/index.md
-    publish.yml       # deploys MkDocs site to GitHub Pages
+    build.yml              # builds PDFs, uploads artifact
+    sign.yml               # hashes + GPG signs, uploads signatures artifact
+    release.yml            # publishes GitHub Release with all assets
+    changelog.yml          # prepends a new entry to docs/changelog/index.md
+    publish.yml            # deploys MkDocs site to GitHub Pages
+    build-sign-release.yml # DEPRECATED - fails on trigger, kept for reference
 docs/
-  guide/index.md      # the guide (single Markdown file)
-  changelog/          # release notes
-  code/               # this page
-export/               # PDF output (PDFs gitignored; .sha256, .b2sum, .asc tracked)
-pgp/                  # public signing keys
+  guide/index.md           # the guide (single Markdown file)
+  changelog/               # release notes
+  code/                    # this page
+export/                    # PDF output (PDFs gitignored; .sha256, .b2sum, .asc tracked)
+pgp/                       # public signing keys
 scripts/
-  build_guide_pdf.py  # MkDocs + Chromium PDF builder
-  convert.py          # pixel-based dark mode PDF converter
-  update_changelog.py # auto-generates changelog entries from git log
-  setup_workflow.py   # GitHub Secrets setup assistant
-  verify_pdf.py       # signature verification helper
+  build_guide_pdf.py       # MkDocs + Chromium PDF builder
+  convert.py               # pixel-based dark mode PDF converter
+  update_changelog.py      # auto-generates changelog entries from git log
+  setup_workflow.py        # GitHub Secrets setup assistant
+  verify_pdf.py            # signature verification helper
  archived/
-    tag_release.py    # ARCHIVED - GPG tag helper (not used in current flow)
+    tag_release.py         # ARCHIVED - GPG tag helper (not used in current flow)
 ```

 ---
@@ -119,39 +120,39 @@ Opens at `http://127.0.0.1:8000`.

 ## CI/CD pipeline overview

-The pipeline is fully manual after the initial build - no step automatically triggers the next. This prevents version mismatches between what was built, what was signed, and what gets released. The workflows are numbered to help guide you.
+The pipeline is fully manual after the initial build - no step automatically triggers the next. This prevents version mismatches between what was built, what was signed, and what gets released.

 ```
 push to main  (or manual trigger)
      │
      ▼
-  01-build.yml
+  build.yml
  Builds thgtoa.pdf + thgtoa-dark.pdf.
  Uploads artifact: pdfs
  Note the run ID.
      │
-      │  # manually trigger 02-sign.yml with the build run ID
+      │  # manually trigger sign.yml with the build run ID
      ▼
-  02-sign.yml
+  sign.yml
  Downloads pdfs artifact. Hashes (SHA-256 + BLAKE2b) and GPG-signs
  all files. Commits export/ back to main. Uploads artifacts:
  signatures, pdfs-signed
  Note the run ID.
      │
-      │  # manually trigger 03-release.yml with the sign run ID
+      │  # manually trigger release.yml with the sign run ID
      ▼
-  03-release.yml
+  release.yml
  Downloads signatures + pdfs-signed artifacts. Runs VirusTotal.
  Creates GitHub Release tagged release-YYYYMMDD-<short-sha>.
      │
-      │  # manually trigger 04-changelog.yml with the version string
+      │  # manually trigger changelog.yml with the version string
      ▼
-  04-changelog.yml
+  changelog.yml
  Runs update_changelog.py, prepends a new ## [vX.Y.Z] entry,
  commits back to main.
 ```

-Each stage is independent. If signing fails (e.g. an expired/revoked key, other problems in CI), re-run only `02-sign.yml` pointing at the existing build artifact - no need to rebuild the PDFs.
+Each stage is independent. If signing fails (e.g. an expired key), re-run only `sign.yml` pointing at the existing build artifact - no need to rebuild the PDFs.

 !!! warning "Before you push"

@@ -165,7 +166,7 @@ Each stage is independent. If signing fails (e.g. an expired/revoked key, other

 ### 1. Trigger a build

-Push to `main` - `01-build.yml` runs automatically when `docs/`, `mkdocs.yml`, or `scripts/` change. You can also trigger it manually from **Actions → Build PDFs → Run workflow**.
+Push to `main` - `build.yml` runs automatically when `docs/`, `mkdocs.yml`, or `scripts/` change. You can also trigger it manually from **Actions → Build PDFs → Run workflow**.

 Once it completes successfully, **note the run ID** from the URL or the Actions list.

@@ -179,7 +180,7 @@ Go to **Actions → Sign PDFs → Run workflow**.
 |-------|-------|
 | `build_run_id` | The run ID from step 1 |

-`02-sign.yml` will:
+`sign.yml` will:

 - Download the PDFs artifact from the build run
 - Compute SHA-256 and BLAKE2b hashes, writing `thgtoa.pdf.sha256`, `thgtoa.pdf.b2sum`, `sha256sums.txt`, `b2sums.txt`, and the dark equivalents
@@ -200,7 +201,7 @@ Go to **Actions → Release → Run workflow**.
 | `sign_run_id` | The run ID from step 2 |
 | `prerelease` | `false` for a normal release |

-`03-release.yml` will:
+`release.yml` will:

 - Download `signatures` and `pdfs-signed` artifacts from the sign run
 - Upload both PDFs to VirusTotal
@@ -220,7 +221,7 @@ Go to **Actions → Update Changelog → Run workflow**.
 | `version` | The human-readable version string, e.g. `v1.2.4` |
 | `dry_run` | `true` to preview without committing |

-`04-changelog.yml` runs `scripts/update_changelog.py`, which:
+`changelog.yml` runs `scripts/update_changelog.py`, which:

 - Reads git log since the last `## [vX.Y.Z]` heading in the changelog
 - Categorises commits into Added / Changed / Fixed using conventional-commit prefixes
@@ -248,7 +249,7 @@ This format is always unique, requires no version decision at release time, and

 ## Commit message format

-All commits must follow the [Conventional Commits](https://www.conventionalcommits.org) format. This is enforced by the `commitizen` pre-commit hook. Not because we want to limit cooperation with others, but becasue it promotes a cleaner Changelog; we can avoid all the noise by doing this programatically.
+All commits must follow the [Conventional Commits](https://www.conventionalcommits.org) format. This is enforced by the `commitizen` pre-commit hook.

 ```
 <type>(<scope>): <description>
@@ -296,7 +297,7 @@ The passphrase protecting the private key above. Must match exactly - no trailin

 ### `ACTIONS_SSH_SIGNING_KEY`

-An SSH private key used by `02-sign.yml` to sign the commit that pushes `export/` back to `main`. Generate a dedicated key for this:
+An SSH private key used by `sign.yml` to sign the commit that pushes `export/` back to `main`. Generate a dedicated key for this:

 ```bash
 ssh-keygen -t ed25519 -C "github-actions signing key" -f actions_signing_key
@@ -306,11 +307,11 @@ Add the **private key** as the `ACTIONS_SSH_SIGNING_KEY` secret, and the **publi

 ### `VT_API_KEY`

-A [VirusTotal](https://www.virustotal.com) API key with file upload permissions. Used by `03-release.yml` to scan both PDFs before publishing. Get one by creating a free account at `virustotal.com` → API key under your profile. The free tier (4 lookups/minute, 500/day) is sufficient.
+A [VirusTotal](https://www.virustotal.com) API key with file upload permissions. Used by `release.yml` to scan both PDFs before publishing. Get one by creating a free account at `virustotal.com` → API key under your profile. The free tier (4 lookups/minute, 500/day) is sufficient.

 ### `CHANGELOG_PAT`

-A GitHub Personal Access Token with `contents: write` scope on this repository. Needed because `04-changelog.yml` commits back to `main` - commits made with the default `GITHUB_TOKEN` do not trigger further workflow runs (GitHub loop-prevention). A PAT bypasses this. If absent, falls back to `GITHUB_TOKEN` - the commit still happens, it just won't trigger downstream workflows.
+A GitHub Personal Access Token with `contents: write` scope on this repository. Needed because `changelog.yml` commits back to `main` - commits made with the default `GITHUB_TOKEN` do not trigger further workflow runs (GitHub loop-prevention). A PAT bypasses this. If absent, falls back to `GITHUB_TOKEN` - the commit still happens, it just won't trigger downstream workflows.

 **Creating one:** GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens → set Contents to Read and write for this repo only.

@@ -318,11 +319,11 @@ A GitHub Personal Access Token with `contents: write` scope on this repository.

 | Secret | Required by | What happens if missing |
 |--------|------------|------------------------|
-| `GPG_PRIVATE_KEY` | `02-sign.yml` | Signing step fails - no `.asc` files produced |
-| `GPG_PASSPHRASE` | `02-sign.yml` | GPG import succeeds but signing fails |
-| `ACTIONS_SSH_SIGNING_KEY` | `02-sign.yml` | Export commit is unsigned (may fail if branch protection requires signed commits) |
-| `VT_API_KEY` | `03-release.yml` | VirusTotal step fails - release is not published |
-| `CHANGELOG_PAT` | `04-changelog.yml` | Falls back to `GITHUB_TOKEN` - changelog updates but commit won't trigger downstream workflows |
+| `GPG_PRIVATE_KEY` | `sign.yml` | Signing step fails - no `.asc` files produced |
+| `GPG_PASSPHRASE` | `sign.yml` | GPG import succeeds but signing fails |
+| `ACTIONS_SSH_SIGNING_KEY` | `sign.yml` | Export commit is unsigned (may fail if branch protection requires signed commits) |
+| `VT_API_KEY` | `release.yml` | VirusTotal step fails - release is not published |
+| `CHANGELOG_PAT` | `changelog.yml` | Falls back to `GITHUB_TOKEN` - changelog updates but commit won't trigger downstream workflows |

 ---

@@ -349,27 +350,9 @@ b2sum     -c b2sums.txt

 A successful verify looks like:

-```txt
-gpg: Signature made Sun 31 May 2026 03:23:26 AM EDT
-gpg:                using EDDSA key C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2
-gpg: Good signature from "Anonymous Planet Release Signing Key" [ultimate]
-Primary key fingerprint: C302 3DBE A3FB 38C4 38BA  1EED CEC6 0AED E8B9 92A2
 ```
-
-You can safely ignore Github, Codeberg, etc. warnings like "The email in this signature doesn’t match the committer email."
-
-```txt
-λ > git tag -v v1.2.3
-object cdc54d8b3bc2b286827b23921d8d4062f85295cf
-type commit
-tag v1.2.3
-tagger nopeitsnothing <no@anonymousplanet.org> 1780212206 -0400
-
-v1.2.3
-gpg: Signature made Sun 31 May 2026 03:23:26 AM EDT
-gpg:                using EDDSA key C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2
-gpg: Good signature from "Anonymous Planet Release Signing Key" [ultimate]
-Primary key fingerprint: C302 3DBE A3FB 38C4 38BA  1EED CEC6 0AED E8B9 92A2
+gpg: Signature made ...
+gpg: Good signature from "Anonymous Planet (Release) ..."
 ```

 ---
@@ -391,10 +374,10 @@ The `GPG_PRIVATE_KEY` secret is missing or malformed. Re-export with `gpg --armo
 **GPG signing fails with `Bad passphrase`**
 The `GPG_PASSPHRASE` secret has a trailing space or newline. Paste it again with no surrounding whitespace.

-**`03-release.yml` fails on VirusTotal**
+**`release.yml` fails on VirusTotal**
 The `VT_API_KEY` is missing, invalid, or over the rate limit (500 requests/day on the free tier). Check the secret and re-run after a few minutes.

-**`02-sign.yml` fails downloading PDF artifact**
+**`sign.yml` fails downloading PDF artifact**
 The `build_run_id` is wrong, or the artifact has expired (90-day retention). Trigger a new build and use the fresh run ID.

 **Changelog already contains version X**
@@ -11112,7 +11112,7 @@ As mentioned before in this guide multiple times, we strongly recommend the use

 - **Stay away from so-called "private" mixers, tumblers and coinjoiners.** You might think this is a good idea, but not only are they useless with cryptocurrencies such as BTC/ETH/LTC, they are also dangerous. They take custody of your coins. Use Monero to anonymize your crypto. Do not use a normal KYC-enabled exchange to buy/sell your Monero (such as Kraken), since this information on your purchases and withdrawals (for intended use) are retained in the exchange. Instead, use a P2P exchange that doesn't require KYC such as what can be found on <https://kycnot.me/>.

- **See [Warning about special tumbling, mixing, coinjoining privacy wallets and services](#warning-about-special-tumbling-mixing-coinjoining-privacy-wallets-and-services).**
+- **See [Warning about special tumbling, mixing, coinjoining privacy wallets and services].**

 ## Using Bitcoin anonymously option

@@ -11148,7 +11148,7 @@ The origin of those BTC cannot be traced back to your real identity due to the u

 **Regarding Zcash: this section previously included use of Zcash but it has been removed in light of newer, more accurate information.**

-## Warning about special tumbling, mixing, coinjoining privacy wallets and services
+## Warning about special tumbling, mixing, coinjoining privacy wallets and services: <sup>[Wikiless](https://wikiless.com/wiki/Cryptocurrency_tumbler) [Archive.org](https://web.archive.org/web/https://wikiless.com/wiki/Cryptocurrency_tumbler)</sup>

 Centralized "private" tumblers, mixers and coinjoiners are not recommended since they do not provide anonymity in a way that truly unlinks an output from its history.  Here are some references about this issue:

@@ -1,2 +1,2 @@
-39e7f8098d6c9511b98f83f4548ef8bac0d604fe820c4dbe1f731dbdff47676c0800872ba329492427cdfdf66734f55d03e3b4dd95b48e9e2ca2b3b4cd716213  thgtoa.pdf
-ba29fcd4ee9bd43a7ed96752bc372f7d374d69f3d37e33e04d07fd14fe4e62afccbc05471e8ad89632d31045a56eee9bde7c15a0c405f64c977e5e4ac30654fa  thgtoa-dark.pdf
+52ff5f4453c38e37374e6dd0af77a78f8d5912482ce20572e2963b95e142e2e61247c2033ca8e73300a0f70453cd3936d0b94ab8b4f00b6e02d95fe5155a784a  thgtoa.pdf
+7c5c529f28698ed4f69cbc2b7251b60c9770e702007f33c034586f0b8c84a78cdb92886e3f996d4f15c023b069f929a22c6eff7f8bd9d9b46c1fa7c8677785e3  thgtoa-dark.pdf
@@ -1,2 +1,2 @@
-ad7b3e327559dd835755615103bb1c59ef6f41ba652f6ee40c8fcdd082914f49  thgtoa.pdf
-1174ec6f1e074b6b0115cea54ee135e82e56771d7129dcf367037a7020d5b39c  thgtoa-dark.pdf
+ac4e509b2b05c6baae0d63e51107e87ab81c1fe655ea54b4d052381c00fcf6bd  thgtoa.pdf
+6bdb1291611cca1fdf3d0be9d9e83afbe4b2bb148c5fea872b7cbb06b06d4e08  thgtoa-dark.pdf
@@ -1,7 +1,7 @@
 -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwNewAKCRDOxgrt6LmS
-opw7AQDdsg3JaS2vy2ZYCI4L1F+guKHF/zItJUSTj76DdOVzSAD+PKDCa4Io6OO9
-7v2odiJHOrbYNmte5FhhffUZL8Nz1A4=
-=oBfF
+iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahrz/QAKCRDOxgrt6LmS
+ov/+AP9PyENLxi/AbHOARbDs/wsgHXCNJSZ/oSgxgmi9sjBTngD/c2Pj8XauGH1o
+ftHJmfwKvy2Q/FjsBIHiA6gxKtXktAU=
+=x6hs
 -----END PGP SIGNATURE-----
@@ -1 +1 @@
-ba29fcd4ee9bd43a7ed96752bc372f7d374d69f3d37e33e04d07fd14fe4e62afccbc05471e8ad89632d31045a56eee9bde7c15a0c405f64c977e5e4ac30654fa
+7c5c529f28698ed4f69cbc2b7251b60c9770e702007f33c034586f0b8c84a78cdb92886e3f996d4f15c023b069f929a22c6eff7f8bd9d9b46c1fa7c8677785e3
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDIRsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqJkrQD/etBsZk8BI71Dn0mgTDIQ
-HaYuAqtld5MmKaV9AxlniWABANt6V/0ivcXSsxajFdvpdu4TI9D4GR07ZeKFjYXV
-EZsM
-=/p57
+iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7fbdDgEAoSslLR47ydW/3r1wJOPY
+X/waLkVbkGZpHqwd4RjywwcA/3B7Ci+jUg+yP5TRsuChagEhwyO5vw2DxSlUGoB4
+ksH
+=2ja9
 -----END PGP SIGNATURE-----
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDHxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIsEgD+PNgOOJy7GPQUYuaDlxeh
-ldQWf58ivLfQ6zpgeSSTiqIA/19EDw+Un9AYuxikZGp39vcNFxEhnwD7dRWZo/Ie
-ZyAE
-=OrTx
+iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7faErgD/Svj1G+B7gmrZQ6AsLZ5J
+HfeldxjmrXE99dig1iHtl5IBAMndZZb+95TO03IZ9eLGfYuyTz4GCUanmftsY9yv
+LAIN
+=MEd0
 -----END PGP SIGNATURE-----
@@ -1,7 +1,7 @@
 -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwNegAKCRDOxgrt6LmS
-ov0tAQCNiaIONY2A6zRVXUcOolOOCJY1pi9SvuJ/yalbTQewawEAsi7bhFYAo6c0
-yAy/jBcGD5E5HzLlmjkGvYcwsvWPfQo=
-=lnwq
+iHUEABYKAB0WIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahrz/AAKCRDOxgrt6LmS
+osMBAPwP7tBv/bIAbXr0PL1atLoqxLsU6T1uMrr+9wAgq+xDwwD9FnT98tFNt2Ql
+ob/WDNBLcJG7EUEy3pUU11ryYOY5wc=
+=ihf4
 -----END PGP SIGNATURE-----
@@ -1 +1 @@
-39e7f8098d6c9511b98f83f4548ef8bac0d604fe820c4dbe1f731dbdff47676c0800872ba329492427cdfdf66734f55d03e3b4dd95b48e9e2ca2b3b4cd716213
+52ff5f4453c38e37374e6dd0af77a78f8d5912482ce20572e2963b95e142e2e61247c2033ca8e73300a0f70453cd3936d0b94ab8b4f00b6e02d95fe5155a784a
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDIBsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqJ6/QEAk2Ta0gygpWKSKstLjKwX
-wmqIyrEza93Xk22owhYi3FAA/jQslZb0MahgPZyf3PQ8syUlBJS8gKQ8nBEpf5BO
-Q/EK
-=Fvmv
+iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7fatsgEAixDzH+zTnKYMEx3sikWp
+dsNTiHTU6wJY/brVJIU879UBAJntBIq72vqwKtMb/ZlVvomdDvKVllZw8ZsYBz1n
+aTkM
+=vkgy
 -----END PGP SIGNATURE-----
@@ -1,8 +1,8 @@
 -----BEGIN PGP SIGNATURE-----

-iJEEABYKADkWIQTDAj2+o/s4xDi6Hu3Oxgrt6LmSogUCahwDHxsUgAAAAAAEAA5t
-YW51MiwyLjUrMS4xMiwyLDIACgkQzsYK7ei5kqIN4gEA2T011PhyNNqhGcj0uVTD
-47AZKLxWhZXnLzD0sRUHY/oBAMWFfSXrKN5q8yml5dWLbvFqbcIpefgHD8smBd6v
-fzUH
-=3Cxi
+iJEEABYKADkWIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCaeXaqxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMiwyLDIACgkQF+ygX3aN7faAGQEAyEhVKrRoXIsV3E5f1FZg
+8fcsmbxCnKBqxichCkf0dWYBAIvbI146mQLHaNqLDaTIqCUQbkq1aE/YMFDGykUG
+ngsJ
+=/0RY
 -----END PGP SIGNATURE-----
@@ -67,7 +67,7 @@ extra:
      link: http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/
      name: "0xacab"
    - icon: simple/gitea
-      link: http://it7otdanqu7ktntxzm427cba6i53w6wlanlh23v5i3siqmos47pzhvyd.onion/anonypla
+      link: http://it7otdanqu7ktntxzm427cba6i53w6wlanlh23v5i3siqmos47pzhvyd.onion/anonymousplanetorg
      name: Darktea
    - icon: simple/github
      link: https://github.com/anon-planet
@@ -1,18 +1,16 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----

-mDMEZc0J8xYJKwYBBAHaRw8BAQdAWIpOKf8GnTINRH7uW4oeGW4D4vfmK9xeQrnq
-n/TMIMe0JEFub255bW91cyBQbGFuZXQgUmVsZWFzZSBTaWduaW5nIEtleYiTBBMW
-CgA7FiEEwwI9vqP7OMQ4uh7tzsYK7ei5kqIFAmXNCfMCGwMFCwkIBwICIgIGFQoJ
-CAsCBBYCAwECHgcCF4AACgkQzsYK7ei5kqJJVgD+NKdW7U/uMWl6Ov1Ye9PPy6Mb
-IyyCYd2j5snO60e7msQA/0rxLaeLwzraevcE+WpdPMadxP2M8MxIKrKeAkKAe+IJ
-iHUEEBYKAB0WIQSfpUNtDuNgmFFXOCUX7KBfdo3t9gUCZqRFIAAKCRAX7KBfdo3t
-9o9LAP426yx71EP9sLKKpkkdAT19HJgsNBeA7SdR/DtMzWEbegD/f2oQYwVz3O1w
-7xuUqJMHS6/bN1E8B78JSi576up9rA2IdQQQFgoAHRYhBJ+lQ20O42CYUVc4JRfs
-oF92je32BQJp508bAAoJEBfsoF92je32TM8A/2j51Jc3owAx9STceeamG5GG7inq
-5jRMyKlMG4Kw1y1lAQD2kKSR9tz/l4Yhvy96WOuQYb+uG0W78T12l2c61F/xBrg4
-BGXNCfMSCisGAQQBl1UBBQEBB0DOf/mxiZClX/sJqtj7Ob+pCHbsMp9Wd4SHW7/P
-FaUKHwMBCAeIeAQYFgoAIBYhBMMCPb6j+zjEOLoe7c7GCu3ouZKiBQJlzQnzAhsM
-AAoJEM7GCu3ouZKie1EBAL5P2th3moOj4IDdXrP6KgdBB0kYweAHix0djG1jV/1+
-AQDrgVyMPBbTEztpvc4cyyGAmI42SLM/jKbqO2yWqwVoAg==
-=UoL3
+mDMEY2cNGBYJKwYBBAHaRw8BAQdAbKn/ExAQ+aq6/o2yc04B9jx5PMloaxux1eoT
+iKwQgX60JEFub255bW91cyBQbGFuZXQgUmVsZWFzZSBTaWduaW5nIEtleYiQBBMW
+CgA4FiEEg6bPnvV6wltcf10pKF5gSKEjIbIFAmNnDRgCGwMFCwkIBwMFFQoJCAsF
+FgIDAQACHgECF4AACgkQKF5gSKEjIbI5+QD/YSQ5E+LW4YJEAQQ+D3LFsGtGGRf3
+qQRD5plsUvTtBfsA/15EJaIjzSwrsf/3wsW48zSYKCer/nrhGY9y5yd0m2gBiHUE
+EBYKAB0WIQSeqYJ4Y58c2FPglsv/lFB1h6apuQUCY2cNxAAKCRD/lFB1h6apuXun
+AQCSNwZBNybUZzN/K4Zl1j6uhCqqnvbUlO80wvbHDMXpywD/dpabqjmpfxfJC20n
+t3OFxKSeIbfJ0VHvoHKpwcaGuwC4OARjZw0YEgorBgEEAZdVAQUBAQdAE7WMDHTx
+zWp542lXGLxSsiE4gtMvVxkEneKmZWwzbDcDAQgHiHgEGBYKACAWIQSDps+e9XrC
+W1x/XSkoXmBIoSMhsgUCY2cNGAIbDAAKCRAoXmBIoSMhsowLAP42HbiJIsIodWwn
+C3yBzwGrd1xRtf/91MpQUgFpCx7xuAD9G0F3l04hKkjxiHK+wJ27LnYcigaTVdje
+6d7bt7TerwE=
+=Hgos
 -----END PGP PUBLIC KEY BLOCK-----
@@ -4,4 +4,4 @@ Scripts kept for reference but no longer part of the active pipeline.

 | Script | Why archived |
 |--------|-------------|
-| `tag_release.py` | Created GPG-signed `vX.Y.Z` annotated tags. Superseded by the `release-YYYYMMDD-<sha>` timestamp tagging built into `03-release.yml`. Re-enable if semver release tagging is reintroduced. |
+| `tag_release.py` | Created GPG-signed `vX.Y.Z` annotated tags. Superseded by the `release-YYYYMMDD-<sha>` timestamp tagging built into `release.yml`. Re-enable if semver release tagging is reintroduced. |
@@ -396,7 +396,7 @@ def main() -> int:
    print("\n" + "=" * 70)
    print("  ✓ All done. Push the tag with:")
    print(f"\n    git push origin {version}\n")
-    print("  The 03-release.yml workflow can then be triggered manually from")
+    print("  The release.yml workflow can then be triggered manually from")
    print("  GitHub Actions to publish the GitHub Release for this tag.")
    print("=" * 70 + "\n")

@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 """Auto-generate and prepend a changelog entry to docs/changelog/index.md.

-Called by .github/workflows/04-changelog.yml. Reads git log since the last
+Called by .github/workflows/changelog.yml. Reads git log since the last
 changelog version, categorises commits by conventional-commit prefix,
 and prepends a new ## [vX.Y.Z] section in the MkDocs admonition format used
 by the rest of the file.
Author	SHA1	Message	Date
github-actions[bot]	3ed31cf5ee	chore(export): update PDFs, hashes and signatures [skip ci]	2026-05-30 14:28:33 +00:00
github-actions[bot]	bc0f95fb06	chore(export): update PDFs, hashes and signatures [skip ci]	2026-05-30 14:17:05 +00:00
github-actions[bot]	dc9c21fc72	chore(export): update PDFs, hashes and signatures [skip ci]	2026-05-30 13:59:24 +00:00
github-actions[bot]	a7d39587e2	chore(export): update PDFs, hashes and signatures [skip ci]	2026-05-30 13:50:18 +00:00