thgtoa/export/verify.html

76 lines
8.2 KiB
HTML
Raw Normal View History

2022-06-19 02:09:58 +00:00
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang xml:lang>
<head>
<meta charset="utf-8" />
<meta name="generator" content="pandoc" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
<title>The Hitchhiker&#39;s Guide to Online Anonymity</title>
<style>
code{white-space: pre-wrap;}
span.smallcaps{font-variant: small-caps;}
span.underline{text-decoration: underline;}
div.column{display: inline-block; vertical-align: top; width: 50%;}
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
ul.task-list{list-style: none;}
</style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">The Hitchhiker&#39;s Guide to Online Anonymity</h1>
</header>
<h2 id="how-to-check-the-files-for-safetyintegrity-and-authenticity.">How to check the files for safety/integrity and authenticity.</h2>
<p>The PDF and ODT files in this guide are cryptographically signed using GPG and Minisign. Their integrity can be verified with the published SHA256 Chrecksum Hashes on this website.</p>
<p>SHA256 Checksums of all the PDF and ODT files are available here in the <a href="sha256sum.txt">sha256sum.txt</a> file.</p>
<p>SHA256 Checksums, signatures, and virustotal checks of the releases files (containing the whole repository) are available within release information at <a href="https://github.com/AnonyPla-ng/thgtoa/releases/latest" class="uri">https://github.com/AnonyPla-ng/thgtoa/releases/latest</a></p>
2022-06-26 08:29:03 +00:00
<p>The GPG signatures for each PDF and ODT files are available here: - PDF (Light Theme) Main and Mirrors: <a href="guide.pdf.asc">guide.pdf.asc</a> - ODT Main and Mirrors: <a href="guide.odt.asc">guide.odt.asc</a></p>
<p>The Minisign signatures for each PDF and ODT files are available here: - PDF (Light Theme) Main and Mirrors: <a href="guide.pdf.minisig">guide.pdf.minisig</a> - ODT Main and Mirrors: <a href="guide.odt.minisig">guide.odt.minisig</a></p>
2022-06-19 02:09:58 +00:00
<h3 id="how-to-check-the-integrity-of-the-files-using-the-sha256-checksums">How to check the integrity of the files using the SHA256 Checksums:</h3>
<p>Please do the following:</p>
<p>Windows: - From a command prompt, run <code>certutil -hashfile filename.txt sha256</code> - Compare the result with the hash in the online checksum files. They should match.</p>
<p>MacOS: - From a terminal, run <code>shasum -a 256 /full/path/to/your/file</code> - Compare the result with the hash in the online checksum files. They should match.</p>
<p>Linux: - From a terminal, run <code>sha256sum /full/path/to/your/file</code> - Compare the result with the hash in the online checksum files. They should match.</p>
<p>All commits and releases on this repository are cryptographically signed and verified using the same GPG key. Check for the “Verified” tags on each commit or release.</p>
<h3 id="how-to-verify-the-the-authenticity-and-integrity-of-the-files-using-gpg">How to verify the the authenticity and integrity of the files using GPG:</h3>
<p>Now to verify the files with GPG signatures, you should first install gpg on your system: - Windows: Install gpg4win from <a href="https://www.gpg4win.org/download.html" class="uri">https://www.gpg4win.org/download.html</a> - MacOS: Install GPG Tools from <a href="https://gpgtools.org/" class="uri">https://gpgtools.org/</a> - Linux: gpg should be installed by default</p>
<p>Import the GPG key using the following command from a command prompt or terminal:</p>
2022-06-26 08:29:03 +00:00
<p><code>gpg --auto-key-locate nodefault,wkd --locate-keys 42FF35DB9DE7C088AB0FD4A70C216A52F6DF4920</code></p>
<p>In theory this command should fetch the key from the a default pool server. If this doesnt work, you can also download/view it directly from here: <a href="https://anonymousplanet-ng.org/42FF35DB9DE7C088AB0FD4A70C216A52F6DF4920.asc" class="uri">https://anonymousplanet-ng.org/42FF35DB9DE7C088AB0FD4A70C216A52F6DF4920.asc</a> <sup>[[Mirror]][12]</sup></p>
<p>For redundancy, you can also verify the authenticity of this GPG signature using:</p>
<p>As well as the published key on (search for the fingerprint <code>42FF35DB9DE7C088AB0FD4A70C216A52F6DF4920</code>): - <a href="https://pgp.mit.edu" class="uri">https://pgp.mit.edu</a> - <a href="https://keys.openpgp.org" class="uri">https://keys.openpgp.org</a> - <a href="https://keyserver.ubuntu.com" class="uri">https://keyserver.ubuntu.com</a></p>
2022-06-19 02:09:58 +00:00
<p>You should then import it manually by issuing the following command on any OS:</p>
2022-06-26 08:29:03 +00:00
<p><code>gpg --import 42FF35DB9DE7C088AB0FD4A70C216A52F6DF4920.asc</code></p>
2022-06-19 02:09:58 +00:00
<p>Finally, verify the asc signature file (links above) against the PDF files by issuing the following commands:</p>
2022-06-26 08:29:03 +00:00
<p><code>gpg --verify guide.pdf.asc guide.pdf&quot;</code></p>
2022-06-19 02:09:58 +00:00
<p>This should output a result showing it matches and its ok.</p>
<h3 id="how-to-verify-the-the-authenticity-and-integrity-of-the-files-using-minisign">How to verify the the authenticity and integrity of the files using Minisign:</h3>
<p>To verify the files with Minisign:</p>
<ul>
2022-06-26 08:29:03 +00:00
<li>You should first dowbload minisign from <a href="https://jedisct1.github.io/minisign/" class="uri">https://jedisct1.github.io/minisign/</a></li>
2022-06-19 02:09:58 +00:00
<li>Download the files along with their *.minisig signature file (they should be in the same directory)</li>
<li>Download the Minisign public key available on the website and repository: <a href="minisign.pub">minisign.pub</a> (again place it in the same directory for convenience)</li>
<li>Run the following command in a command prompt or terminal: <code>minisign -Vm guide.pdf -p minisign.pub</code></li>
<li>Output should show <code>Signature and comment signature verified</code></li>
</ul>
<h3 id="how-to-check-the-safety-of-the-files-using-virustotal">How to check the safety of the files using VirusTotal:</h3>
2022-06-26 08:29:03 +00:00
<p>The PDF and ODT files in this guide have been checked by VirusTotal, see the links below but do not trust them blindly and check the hashes matches and re-upload to VT if needed (<strong>Note that this guide does not endorse VirusTotal. It should be used with extreme caution and never with any sensitive files due to their privacy policies</strong>): - Light Theme: <a href="https://www.virustotal.com/gui/file/21dfa2f7da668156275e4ca2bc82091f347739967a278cf24a062c15a3944016?nocache=1">[VirusTotal]</a> - ODT file: <a href="https://www.virustotal.com/gui/file/df8554f732dc54b530fd831548f0727934f2e03ad1518ac33061d0995eab2172?nocache=1">[VirusTotal]</a></p>
2022-06-19 02:09:58 +00:00
<h3 id="additional-manual-safety-checks-for-the-pdf-files">Additional manual safety checks for the PDF files:</h3>
<p>For additional safety; you can always double check the PDF files using PDFID which you can download at <a href="https://blog.didierstevens.com/programs/pdf-tools/" class="uri">https://blog.didierstevens.com/programs/pdf-tools/</a> (You might be wondering why should trust a random python script? Well its open-source and well-known. Its probably a safer bet than trusting a random PDF).</p>
<p>Here are the steps:</p>
<ul>
<li>Install latest 3.9.x version of Python on your OS, Download PDFID and, from a command prompt or terminal, run:</li>
</ul>
<p><code>python pdfid.py file-to-check.pdf</code></p>
<p>And you should see the following entries at 0 for safety, this 0 means there is no Javascript or any action that could possibly embed malicious scripts. Normally this wont be neceessary as most modern PDF readers wont execute those scripts anyway.</p>
<pre><code>/JS 0 #This indicates the presence of Javascript which could be malicious
/JavaScript 0 #This indicates the presence of Javascript which could be malicious
/AA 0 #This indicates the presence of automatic action on opening
/OpenAction 0 #This indicates the presence of automatic action on opening
/AcroForm 0 #This indicates the presence of AcroForm which could contain malicious JavaScript
/JBIG2Decode 0 #This indicates the PDF uses JBIG2 compression which could be used for obfuscating malicious content
/RichMedia 0 #This indicates the presence rich media within the PDF such as Flash
/Launch 0 #This counts the launch actions
/EmbeddedFile 0 #This indicates there are embedded files within the PDF
/XFA 0 #This indicates the presence of XML Forms within the PDF</code></pre>
</body>
</html>