thgtoa/docs/guide/dev-workflow.md

Development

??? Note "How the pipeline works"

**Automatic PDF Generation:** - Builds both light and dark mode PDFs from MkDocs source
**SHA256 Hash Generation:** - Creates hash files for integrity verification
**GPG Signature Signing:** - Signs all PDFs and hash files with repository GPG key
**VirusTotal Scanning:** - Automatically scans PDFs and updates release notes
**Release Automation:** - Packages everything into GitHub releases

Workflow Architecture

Build PDF Workflow (build-sign-release.yml)

??? Note "Steps"

- Checkout repository
- Set up Python and MkDocs Material
- Install Chromium browser
- Generate both light and dark mode PDFs with `scripts\build_guide_pdf.py`
- Create SHA256 and blake2 hash files in `export/`
- Sign all files with GPG in `export/`
- Upload artifacts to GitHub Actions **manually**

SHA256 Hash Verification

!!! Note "How it works"

- Each PDF gets a unique SHA256 hash calculated at build time
- Hash stored in `.sha256` files alongside the PDFs
- Combined `sha256sum.txt` for batch verification

GPG Signature Verification

Purpose: Verify authenticity and prevent tampering

??? Note "How it works"

- Detached signatures created for each PDF and hash file
- Public keys available in `/pgp/` directory

Verification command:

gpg --import pgp/anonymousplanet-master.asc
gpg --verify export/thgtoa.pdf.sig export/thgtoa.pdf

---

This workflow is designed for security-conscious users who need to verify the authenticity and integrity of downloaded documents.