Skip to content

PDF Verification Guide

Files Provided

For each PDF release, you'll receive:

  • PDF file (thgtoa.pdf or thgtoa-dark.pdf) - The actual document
  • Signature file (.sig) - GPG detached signature for authenticity verification
  • Hash file (.sha256) - SHA256 checksum for integrity verification

Quick Verification

# Verify everything (hashes, signatures, and optionally VirusTotal)
python scripts/verify_pdf.py --all

# Only verify hashes
python scripts/verify_pdf.py --hashes

# Only verify GPG signatures
python scripts/verify_pdf.py --signatures

# Check VirusTotal scan status (requires VT_API_KEY environment variable)
python scripts/verify_pdf.py --vt

Manual Verification

1. Verify SHA256 Hash

Linux/macOS: 

cd /path/to/repo
sha256sum -c sha256sum-light.txt

Windows (PowerShell): 

Get-FileHash -Algorithm SHA256 export\thgtoa.pdf | Select-Object Hash
# Compare with the hash in thgtoa.pdf.sha256

2. Verify GPG Signature

First, import the public key: 

gpg --import pgp/anonymousplanet-master.asc

Then verify the signature: 

gpg --verify export/thgtoa.pdf.sig export/thgtoa.pdf
gpg --verify export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf

Expected output for successful verification: 

gpg: Signature made Mon 20 Apr 2026 01:46:40 AM EDT
gpg:                using EDDSA key 9FA5436D0EE360985157382517ECA05F768DEDF6
gpg: Good signature from "Anonymous Planet Master Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9FA5 436D 0EE3 6098 5157  3825 17EC A05F 768D EDF6

3. Check VirusTotal Status

Visit the VirusTotal report links (automatically generated in release notes): - Light mode: https://www.virustotal.com/gui/file/[hash] - Dark mode: https://www.virustotal.com/gui/file/[hash]

Or use the Python script with API key: 

export VT_API_KEY=your_vt_api_key
python scripts/verify_pdf.py --vt

Automated Verification in CI/CD

The GitHub Actions workflows automatically:

  1. Build PDFs from MkDocs source
  2. Generate SHA256 hashes and save to root directory
  3. Sign files with GPG using the repository's private key
  4. Scan with VirusTotal and update release notes
  5. Create releases with all verification artifacts

Security Best Practices

  1. Always verify signatures before opening PDFs from untrusted sources
  2. Check hashes to ensure files weren't corrupted during download
  3. Review VirusTotal results for any suspicious detections
  4. Import keys securely - verify key fingerprints with the project maintainers
  5. Keep verification scripts updated to match current security standards

Troubleshooting

"Good signature" but wrong owner?

  • Ensure you imported the correct public key
  • Check the key fingerprint matches the official one from the repository

Hash mismatch?

  • Re-download the file (corruption during transfer)
  • Verify you're checking against the correct hash file
  • Check for disk errors on your system

GPG not found?

  • Install GPG: sudo apt install gnupg (Debian/Ubuntu) or brew install gnupg (macOS)
  • On Windows, use Gpg4win

Key Information

Signing Key: Anonymous Planet Master Signing Key ("MSK") Key ID: See pgp/anonymousplanet-master.asc for details Fingerprint: Verify from the repository's official documentation

For questions or issues with verification, please open an issue on GitHub.