<h1class="title">The Hitchhiker's Guide to Online Anonymity</h1>
</header>
<h2id="how-to-check-the-files-for-safetyintegrity-and-authenticity.">How to check the files for safety/integrity and authenticity.</h2>
<p>The PDF and ODT files in this guide are cryptographically signed using GPG and Minisign. Their integrity can be verified with the published SHA256 Chrecksum Hashes on this website.</p>
<p>SHA256 Checksums of all the PDF and ODT files are available here in the <ahref="sha256sum.txt">sha256sum.txt</a> file.</p>
<p>SHA256 Checksums, signatures, and virustotal checks of the releases files (containing the whole repository) are available within release information at <ahref="https://github.com/AnonyPla-ng/thgtoa/releases/latest"class="uri">https://github.com/AnonyPla-ng/thgtoa/releases/latest</a></p>
<p>The GPG signatures for each PDF and ODT files are available here: - PDF (Light Theme) Main and Mirrors: <ahref="guide.pdf.asc">guide.pdf.asc</a> - ODT Main and Mirrors: <ahref="guide.odt.asc">guide.odt.asc</a></p>
<p>The Minisign signatures for each PDF and ODT files are available here: - PDF (Light Theme) Main and Mirrors: <ahref="guide.pdf.minisig">guide.pdf.minisig</a> - ODT Main and Mirrors: <ahref="guide.odt.minisig">guide.odt.minisig</a></p>
<h3id="how-to-check-the-integrity-of-the-files-using-the-sha256-checksums">How to check the integrity of the files using the SHA256 Checksums:</h3>
<p>Please do the following:</p>
<p>Windows: - From a command prompt, run <code>certutil -hashfile filename.txt sha256</code> - Compare the result with the hash in the online checksum files. They should match.</p>
<p>MacOS: - From a terminal, run <code>shasum -a 256 /full/path/to/your/file</code> - Compare the result with the hash in the online checksum files. They should match.</p>
<p>Linux: - From a terminal, run <code>sha256sum /full/path/to/your/file</code> - Compare the result with the hash in the online checksum files. They should match.</p>
<p>All commits and releases on this repository are cryptographically signed and verified using the same GPG key. Check for the “Verified” tags on each commit or release.</p>
<h3id="how-to-verify-the-the-authenticity-and-integrity-of-the-files-using-gpg">How to verify the the authenticity and integrity of the files using GPG:</h3>
<p>Now to verify the files with GPG signatures, you should first install gpg on your system: - Windows: Install gpg4win from <ahref="https://www.gpg4win.org/download.html"class="uri">https://www.gpg4win.org/download.html</a> - MacOS: Install GPG Tools from <ahref="https://gpgtools.org/"class="uri">https://gpgtools.org/</a> - Linux: gpg should be installed by default</p>
<p>Import the GPG key using the following command from a command prompt or terminal:</p>
<p>In theory this command should fetch the key from the a default pool server. If this doesn’t work, you can also download/view it directly from here: <ahref="https://anonymousplanet-ng.org/42FF35DB9DE7C088AB0FD4A70C216A52F6DF4920.asc"class="uri">https://anonymousplanet-ng.org/42FF35DB9DE7C088AB0FD4A70C216A52F6DF4920.asc</a><sup>[[Mirror]][12]</sup></p>
<p>For redundancy, you can also verify the authenticity of this GPG signature using:</p>
<p>As well as the published key on (search for the fingerprint <code>42FF35DB9DE7C088AB0FD4A70C216A52F6DF4920</code>): - <ahref="https://pgp.mit.edu"class="uri">https://pgp.mit.edu</a> - <ahref="https://keys.openpgp.org"class="uri">https://keys.openpgp.org</a> - <ahref="https://keyserver.ubuntu.com"class="uri">https://keyserver.ubuntu.com</a></p>
<p>This should output a result showing it matches and it’s ok.</p>
<h3id="how-to-verify-the-the-authenticity-and-integrity-of-the-files-using-minisign">How to verify the the authenticity and integrity of the files using Minisign:</h3>
<li>Download the files along with their *.minisig signature file (they should be in the same directory)</li>
<li>Download the Minisign public key available on the website and repository: <ahref="minisign.pub">minisign.pub</a> (again place it in the same directory for convenience)</li>
<li>Run the following command in a command prompt or terminal: <code>minisign -Vm guide.pdf -p minisign.pub</code></li>
<li>Output should show <code>Signature and comment signature verified</code></li>
</ul>
<h3id="how-to-check-the-safety-of-the-files-using-virustotal">How to check the safety of the files using VirusTotal:</h3>
<p>The PDF and ODT files in this guide have been checked by VirusTotal, see the links below but do not trust them blindly and check the hashes matches and re-upload to VT if needed (<strong>Note that this guide does not endorse VirusTotal. It should be used with extreme caution and never with any sensitive files due to their privacy policies</strong>): - Light Theme: <ahref="https://www.virustotal.com/gui/file/21dfa2f7da668156275e4ca2bc82091f347739967a278cf24a062c15a3944016?nocache=1">[VirusTotal]</a> - ODT file: <ahref="https://www.virustotal.com/gui/file/df8554f732dc54b530fd831548f0727934f2e03ad1518ac33061d0995eab2172?nocache=1">[VirusTotal]</a></p>
<h3id="additional-manual-safety-checks-for-the-pdf-files">Additional manual safety checks for the PDF files:</h3>
<p>For additional safety; you can always double check the PDF files using PDFID which you can download at <ahref="https://blog.didierstevens.com/programs/pdf-tools/"class="uri">https://blog.didierstevens.com/programs/pdf-tools/</a> (You might be wondering why should trust a random python script? Well it’s open-source and well-known. It’s probably a safer bet than trusting a random PDF).</p>
<p>Here are the steps:</p>
<ul>
<li>Install latest 3.9.x version of Python on your OS, Download PDFID and, from a command prompt or terminal, run:</li>
<p>And you should see the following entries at 0 for safety, this 0 means there is no Javascript or any action that could possibly embed malicious scripts. Normally this won’t be neceessary as most modern PDF readers won’t execute those scripts anyway.</p>
<pre><code>/JS 0 #This indicates the presence of Javascript which could be malicious
/JavaScript 0 #This indicates the presence of Javascript which could be malicious
/AA 0 #This indicates the presence of automatic action on opening
/OpenAction 0 #This indicates the presence of automatic action on opening
/AcroForm 0 #This indicates the presence of AcroForm which could contain malicious JavaScript
/JBIG2Decode 0 #This indicates the PDF uses JBIG2 compression which could be used for obfuscating malicious content
/RichMedia 0 #This indicates the presence rich media within the PDF such as Flash
/Launch 0 #This counts the launch actions
/EmbeddedFile 0 #This indicates there are embedded files within the PDF
/XFA 0 #This indicates the presence of XML Forms within the PDF</code></pre>
