mirror of
https://github.com/Anon-Planet/thgtoa.git
synced 2024-12-28 00:39:39 -05:00
nopeitsnothing
01c303df2f
Sign recent changes Signed-off-by: nopeitsnothing <no@anonymousplanet.org>
347 lines
18 KiB
HTML
347 lines
18 KiB
HTML
<!DOCTYPE html>
|
||
<html lang="en-US">
|
||
<head>
|
||
<meta charset='utf-8'>
|
||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||
<!-- Offline -->
|
||
<!-- <meta http-equiv="onion-location" content="/verify.html" /> -->
|
||
<meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'">
|
||
<meta http-equiv=”X-XSS-Protection” content=”1">
|
||
<meta http-equiv="Permissions-Policy" content="interest-cohort=()"/>
|
||
<meta name="referrer" content="no-referrer">
|
||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||
<link rel="stylesheet" href="assets/css/style.css" id="dark">
|
||
<link rel="stylesheet" href="assets/css/light_style.css" media="none" id="light">
|
||
<link rel="shortcut icon" type="image/x-icon" href="media/favicon.ico">
|
||
<script>
|
||
function SetDark() {
|
||
document.getElementById('dark').media = "";
|
||
document.getElementById('light').media = "none";
|
||
themeicon.innerHTML = '<svg height="24px" viewBox="0 0 24 24" width="24px" fill="#FFF"><path d="M0 0h24v24H0z" fill="none"/><path d="M20 8.69V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12 20 8.69zM12 18c-3.31 0-6-2.69-6-6s2.69-6 6-6 6 2.69 6 6-2.69 6-6 6zm0-10c-2.21 0-4 1.79-4 4s1.79 4 4 4 4-1.79 4-4-1.79-4-4-4z"/></svg>';
|
||
}
|
||
|
||
function SetLight() {
|
||
document.getElementById('light').media = "";
|
||
document.getElementById('dark').media = "none";
|
||
themeicon.innerHTML = '<svg enable-background="new 0 0 24 24" height="24px" viewBox="0 0 24 24" width="24px" fill="#000000"><rect fill="none" height="24" width="24"/><path d="M12,3c-4.97,0-9,4.03-9,9s4.03,9,9,9s9-4.03,9-9c0-0.46-0.04-0.92-0.1-1.36c-0.98,1.37-2.58,2.26-4.4,2.26 c-2.98,0-5.4-2.42-5.4-5.4c0-1.81,0.89-3.42,2.26-4.4C12.92,3.04,12.46,3,12,3L12,3z"/></svg>';
|
||
}
|
||
|
||
window.addEventListener('load',
|
||
function() {
|
||
if (window.matchMedia("(prefers-color-scheme: dark)").matches) {
|
||
if (localStorage.getItem("theme") == "light") {
|
||
SetLight();
|
||
document.getElementById('switch').checked = true;
|
||
} else {
|
||
SetDark();
|
||
document.getElementById('switch').checked = false;
|
||
}
|
||
} else if (window.matchMedia("(prefers-color-scheme: light)").matches) {
|
||
if (localStorage.getItem("theme") == "dark") {
|
||
SetDark();
|
||
document.getElementById('switch').checked = false;
|
||
} else {
|
||
SetLight();
|
||
document.getElementById('switch').checked = true;
|
||
}
|
||
} else {
|
||
SetDark();
|
||
document.getElementById('switch').checked = false;
|
||
}
|
||
}, false);
|
||
|
||
function switch_theme(state) {
|
||
if (state) {
|
||
SetLight();
|
||
localStorage.setItem("theme", "light");
|
||
} else {
|
||
SetDark();
|
||
localStorage.setItem("theme", "dark");
|
||
}
|
||
};
|
||
</script>
|
||
<style>
|
||
.theme-switch-wrapper {
|
||
display: inline-block;
|
||
z-index: 100;
|
||
position: absolute;
|
||
right: 0;
|
||
top: -10px;
|
||
}
|
||
|
||
.jswarning {
|
||
display: inline-block;
|
||
border: 1px solid green;
|
||
}
|
||
|
||
.theme-switch-wrapper span {
|
||
margin-right: 2px;
|
||
}
|
||
|
||
.theme-switch {
|
||
display: inline-block;
|
||
height: 25px;
|
||
position: relative;
|
||
width: 40px;
|
||
}
|
||
|
||
.theme-switch input {
|
||
display: none;
|
||
}
|
||
|
||
.slider {
|
||
background: #696969;
|
||
cursor: pointer;
|
||
position: absolute;
|
||
left: 0;
|
||
right: 0;
|
||
top: 0;
|
||
bottom: 0;
|
||
transition: 0.5s;
|
||
}
|
||
|
||
.slider::before {
|
||
background: #fff;
|
||
bottom: 4px;
|
||
content: '';
|
||
height: 17px;
|
||
left: 4px;
|
||
position: absolute;
|
||
transition: 0.5s;
|
||
width: 17px;
|
||
}
|
||
|
||
input:checked + .slider {
|
||
background: #151515;
|
||
}
|
||
|
||
input:checked + .slider::before {
|
||
transform: translateX(15px);
|
||
}
|
||
|
||
.slider.round {
|
||
border-radius: 34px;
|
||
}
|
||
|
||
.slider.round::before {
|
||
border-radius: 50%;
|
||
}
|
||
|
||
.fas {
|
||
font-size: 30px;
|
||
}
|
||
</style>
|
||
<noscript>
|
||
<style>.theme-switch-wrapper {display:none;}</style>
|
||
</noscript>
|
||
|
||
<!-- Begin Jekyll SEO tag v2.8.0 -->
|
||
<title>How to check files for safety/integrity and authenticity: | The Hitchhiker’s Guide to Online Anonymity</title>
|
||
<meta name="generator" content="Jekyll v3.9.3" />
|
||
<meta property="og:title" content="How to check files for safety/integrity and authenticity:" />
|
||
<meta name="author" content="AnonymousPlanet" />
|
||
<meta property="og:locale" content="en_US" />
|
||
<meta name="description" content="The Hitchhiker’s Guide to Online Anonymity" />
|
||
<meta property="og:description" content="The Hitchhiker’s Guide to Online Anonymity" />
|
||
<link rel="canonical" href="http://localhost:4000/verify.html" />
|
||
<meta property="og:url" content="http://localhost:4000/verify.html" />
|
||
<meta property="og:site_name" content="The Hitchhiker’s Guide to Online Anonymity" />
|
||
<meta property="og:type" content="website" />
|
||
<meta name="twitter:card" content="summary" />
|
||
<meta property="twitter:title" content="How to check files for safety/integrity and authenticity:" />
|
||
<script type="application/ld+json">
|
||
{"@context":"https://schema.org","@type":"WebPage","author":{"@type":"Person","name":"AnonymousPlanet"},"description":"The Hitchhiker’s Guide to Online Anonymity","headline":"How to check files for safety/integrity and authenticity:","url":"http://localhost:4000/verify.html"}</script>
|
||
<!-- End Jekyll SEO tag -->
|
||
|
||
</head>
|
||
<body style="transition: all 0.5s ease;">
|
||
<header>
|
||
<div class="container" style="position: relative;">
|
||
<div class="theme-switch-wrapper">
|
||
<!-- Icon -->
|
||
<span id="toggle-icon">
|
||
<i id="themeicon" class="fas fa-sun"></i>
|
||
</span>
|
||
<!-- Switch -->
|
||
<label class="theme-switch">
|
||
<input type="checkbox" id="switch" onclick="switch_theme(this.checked)">
|
||
<div class="slider round"></div>
|
||
</label>
|
||
</div>
|
||
<a id="a-title">
|
||
<h1>The Hitchhiker’s Guide to Online Anonymity</h1>
|
||
</a>
|
||
<h2>How I learned to start worrying and love <del>privacy</del> anonymity</h2>
|
||
<h4 class="project-version">The latest Version is v1.1.8. See the <a href="CHANGELOG.html" style="color:#ff4700">changelog.</a></h4>
|
||
<section id="downloads">
|
||
|
||
<a href="index.html" class="btn_small">Home</a>
|
||
|
||
|
||
<a href="guide.html" class="btn_small" style="color:#FF0000">View Online</a>
|
||
|
||
<a href="export/guide.pdf" class="btn_small">PDF</a>
|
||
<!--<a href="" class="btn_small">PDF (Dark)</a>-->
|
||
<a href="export/guide.odt" class="btn_small">OpenDocument</a>
|
||
|
||
<a href="donations.html" class="btn_small">Donate</a>
|
||
|
||
|
||
<a href="constitution.html" class="btn_small">Constitution</a>
|
||
|
||
<a href="https://github.com/nopeitsnothing/thgtoa-dev" target="_blank" class="btn_small">Repository</a>
|
||
<!--<a href="" target="_blank" class="btn_small">Keyoxide</a>-->
|
||
<a rel="me" href="https://mastodon.social/@anonymousplanet" target="_blank" class="btn_small">Mastodon</a>
|
||
<a rel="me" href="https://anonymousplanet.org/twitter.html" target="_blank" class="btn_small">Twitter</a>
|
||
<!--<a rel="me" href="https://mastodon.social/@anonymousplanet" target="_blank" class="btn_small">Mastodon</a>-->
|
||
|
||
<a href="links.html" class="btn_small">Links</a>
|
||
|
||
|
||
<a href="about.html" class="btn_small">About</a>
|
||
|
||
</section>
|
||
<h5>GPG Key Fingerprint: 9EA9 8278 639F 1CD8 53E0 96CB FF94 5075 87A6 A9B9 / Minisign public key: <a href="minisign.pub" style="color:#ff4700">minisign.pub</a></h5>
|
||
<noscript><p class="jswarning">JavaScript is required to toggle light mode. JavaScript is not used for any other purpose.</p></noscript>
|
||
</div>
|
||
</header>
|
||
<div class="container">
|
||
<section id="main_content">
|
||
<h2 id="how-to-check-files-for-safetyintegrity-and-authenticity">How to check files for safety/integrity and authenticity:</h2>
|
||
|
||
<p>The PDF and ODT files of this guide are cryptographically signed using GPG and <a href="https://jedisct1.github.io/minisign">Minisign</a>. Their integrity can be verified with the published SHA256 Checksum hashes on this website. SHA256 checksums of all the PDF and ODT files are available here in the <a href="/sha256sum.txt">sha256sum.txt</a> file. SHA256 checksums, signatures, and VirusTotal (“VT”) checks of the releases files (containing the whole repository) are available within the latest release information at <a href="https://github.com/Anon-Planet/thgtoa/releases/latest">https://github.com/Anon-Planet/thgtoa/releases/latest</a> which will be available as soon as we have a stable release.</p>
|
||
|
||
<p>The GPG signatures for each PDF and ODT files are available here:</p>
|
||
<ul>
|
||
<li>PDF (Light Theme) Main and Mirrors: <a href="guide.pdf.asc">guide.pdf.asc</a></li>
|
||
<li>ODT Main and Mirrors: <a href="guide.odt.asc">guide.odt.asc</a></li>
|
||
</ul>
|
||
|
||
<p>The Minisign signatures for each PDF and ODT files are available here:</p>
|
||
<ul>
|
||
<li>PDF (Light Theme) Main and Mirrors: <a href="guide.pdf.minisig">guide.pdf.minisig</a></li>
|
||
<li>ODT Main and Mirrors: <a href="guide.odt.minisig">guide.odt.minisig</a></li>
|
||
</ul>
|
||
|
||
<h3 id="how-to-check-the-integrity-of-files-using-sha256-checksums">How to check the integrity of files using SHA256 checksums:</h3>
|
||
|
||
<p>First get the hash of your local file by following these steps for your OS:</p>
|
||
|
||
<p>Windows:</p>
|
||
<ul>
|
||
<li>From a command prompt, run <code class="language-plaintext highlighter-rouge">certutil -hashfile filename.txt sha256</code></li>
|
||
<li>Compare the obtained hash result of your local file to the online file’s published hash. They should match.</li>
|
||
</ul>
|
||
|
||
<p>macOS:</p>
|
||
<ul>
|
||
<li>From a terminal, run <code class="language-plaintext highlighter-rouge">shasum -a 256 /full/path/to/your/file</code></li>
|
||
<li>Compare the obtained hash result of your local file to the online file’s published hash. They should match.</li>
|
||
</ul>
|
||
|
||
<p>Linux:</p>
|
||
<ul>
|
||
<li>From a terminal, run <code class="language-plaintext highlighter-rouge">sha256sum /full/path/to/your/file</code></li>
|
||
<li>Compare the obtained hash result of your local file to the online file’s published hash. They should match.</li>
|
||
</ul>
|
||
|
||
<p>All commits and releases on this repository are cryptographically signed and verified by each collaborator (check for the “Verified” tags on commits and releases).</p>
|
||
|
||
<h3 id="how-to-verify-the-the-authenticity-and-integrity-of-files-using-gpg">How to verify the the authenticity and integrity of files using GPG:</h3>
|
||
|
||
<p>To verify files with GPG signatures, you should first install gpg on your system:</p>
|
||
<ul>
|
||
<li>Windows: Install gpg4win from <a href="https://www.gpg4win.org/download.html">https://www.gpg4win.org/download.html</a></li>
|
||
<li>MacOS: Install GPG Tools from <a href="https://gpgtools.org/">https://gpgtools.org/</a></li>
|
||
<li>Linux: gpg should be installed by default. If not, use your Linux package manager to install it such as apt (debian) or rpm (red hat).</li>
|
||
</ul>
|
||
|
||
<p>Import the master signing key from a trusted source of the publisher using the following command from a command prompt or terminal:</p>
|
||
|
||
<p><code class="language-plaintext highlighter-rouge">gpg --auto-key-locate nodefault,wkd --locate-keys 9EA98278639F1CD853E096CBFF94507587A6A9B9</code></p>
|
||
|
||
<p>In theory this command should fetch the key from the a default pool server. If this doesn’t work, you can also download/view it directly from here (in our case): <a href="https://anonymousplanet.org/pgp/AnonymousPlanet-Master-Signing-Key_9EA98278639F1CD853E096CBFF94507587A6A9B9.asc">https://anonymousplanet.org/pgp/AnonymousPlanet-Master-Signing-Key_9EA98278639F1CD853E096CBFF94507587A6A9B9.asc</a></p>
|
||
|
||
<p>As well as the published key on any keyserver below (search for the fingerprint <code class="language-plaintext highlighter-rouge">9EA98278639F1CD853E096CBFF94507587A6A9B9</code>):</p>
|
||
<ul>
|
||
<li><a href="https://pgp.mit.edu">https://pgp.mit.edu</a></li>
|
||
<li><a href="https://keys.openpgp.org">https://keys.openpgp.org</a></li>
|
||
<li><a href="https://keyserver.ubuntu.com">https://keyserver.ubuntu.com</a></li>
|
||
</ul>
|
||
|
||
<p>You should then import it manually by issuing the following command on any OS:</p>
|
||
|
||
<p><code class="language-plaintext highlighter-rouge">gpg --import 9EA98278639F1CD853E096CBFF94507587A6A9B9.asc</code></p>
|
||
|
||
<p>The master signing key allows you to verify all other project-related keys. Once you have the master signing key and are confident it’s the correct key (nobody has tampered with it), mark the key as trusted by locally signing it:</p>
|
||
|
||
<p><code class="language-plaintext highlighter-rouge">gpg --lsign-key 9EA98278639F1CD853E096CBFF94507587A6A9B9</code></p>
|
||
|
||
<p>Alternatively, if you use Kleopatra, it will ask you to certify the key. Certify the key to mark it as trusted.</p>
|
||
|
||
<p>Once you have the master key downloaded, imported, and certified, you will obtain a copy of the release key.</p>
|
||
|
||
<p><code class="language-plaintext highlighter-rouge">gpg --auto-key-locate nodefault,wkd --locate-keys 83A6CF9EF57AC25B5C7F5D29285E6048A12321B2</code> (to import the release signing key)</p>
|
||
|
||
<p><a href="https://anonymousplanet.org/pgp/AnonymousPlanet-Release-Signing-Key_83A6CF9EF57AC25B5C7F5D29285E6048A12321B2.asc">https://anonymousplanet.org/pgp/AnonymousPlanet-Release-Signing-Key_83A6CF9EF57AC25B5C7F5D29285E6048A12321B2.asc</a> (to download the key yourself)</p>
|
||
|
||
<p>If you use GPG directly, you won’t need to mark the release signing key as trusted, because it’s already signed by the master signing key. If you use Kleopatra, the process to import the release signing key is the same as importing the master signing key.</p>
|
||
|
||
<p>Finally, verify the asc signature file (links above) against the PDF file by issuing the following example command:</p>
|
||
|
||
<p><code class="language-plaintext highlighter-rouge">gpg --verify guide.pdf.asc guide.pdf</code></p>
|
||
|
||
<p>This should output a result showing it matches a signature created by the release signing key, and is therefore a good result.</p>
|
||
|
||
<h3 id="how-to-verify-the-the-authenticity-and-integrity-of-the-files-using-minisign">How to verify the the authenticity and integrity of the files using Minisign:</h3>
|
||
|
||
<p>To verify the files with Minisign:</p>
|
||
|
||
<ul>
|
||
<li>First, download minisign from <a href="https://jedisct1.github.io/minisign/">https://jedisct1.github.io/minisign/</a>.</li>
|
||
<li>Download the files along with their *.minisig signature file (these should be in the same directory).</li>
|
||
<li>Download the Minisign public key available on the website and repository: <a href="/minisign.pub">minisign.pub</a> (again, place it in the same directory for convenience).</li>
|
||
<li>Run the following command in a command prompt or terminal within the directory with both files: <code class="language-plaintext highlighter-rouge">minisign -Vm guide.pdf -p minisign.pub</code>.</li>
|
||
<li>Output should show <code class="language-plaintext highlighter-rouge">Signature and comment signature verified</code>.</li>
|
||
</ul>
|
||
|
||
<h3 id="how-to-check-the-relative-safety-of-files-or-even-urls-such-as-httpsanonymousplanetorg-using-virustotal">How to check the relative safety of files or even URLs (such as https://anonymousplanet.org) using VirusTotal:</h3>
|
||
<p><strong>Note: we do not endorse VirusTotal. It should be used with extreme caution, never with any sensitive files, due to their privacy policies. Do not upload sensitive files to VirusTotal.</strong></p>
|
||
|
||
<p>The PDF and ODT files of this guide have been automatically scanned by VT, see the links below for an example but do not trust these hashes blindly. Check the hashes match and re-upload to VT if needed:</p>
|
||
<ul>
|
||
<li>PDF file: <a href="https://www.virustotal.com/gui/file/8fefe9bc982aa3d89dd1d8f7bc5b89c17b7e5d212826c21c87f2c0795668fac3?nocache=1">[VT Scan]</a></li>
|
||
<li>ODT file: <a href="https://www.virustotal.com/gui/file/19055de599deecbd9482b4bfba19abb3e44fa9c8b53fefee3d2bd9c587f6ac1e?nocache=1">[VT Scan]</a></li>
|
||
</ul>
|
||
|
||
<h3 id="additional-manual-safety-checks-for-the-pdf-files">Additional manual safety checks for the PDF files:</h3>
|
||
|
||
<p>For additional safety, you can always double check the PDF files using the PDFID tool which you can download at <a href="https://blog.didierstevens.com/programs/pdf-tools/">https://blog.didierstevens.com/programs/pdf-tools/</a>. (You might be wondering: “Why should I trust a random python script?” Well, it is open-source and well-known. It is also probably a safer bet than trusting a random PDF).</p>
|
||
|
||
<p>Here are the steps:</p>
|
||
|
||
<ul>
|
||
<li>Install the latest version (e.g., 3.10.6 stable) of Python, download <a href="https://didierstevens.com/files/software/pdfid_v0_2_8.zip">pdfid</a> and, from a command prompt or terminal, run:</li>
|
||
</ul>
|
||
|
||
<p><code class="language-plaintext highlighter-rouge">python pdfid.py file-to-check.pdf</code></p>
|
||
|
||
<p>And you should see the following entries at <strong>0</strong> for safety, this 0 means there is no Javascript or any action that could possibly execute malicious macros, scripts, etc. Normally this won’t be necessary as most modern PDF readers won’t execute those scripts anyway.</p>
|
||
|
||
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/JS 0 #This indicates the presence of Javascript which could be malicious
|
||
/JavaScript 0 #This indicates the presence of Javascript which could be malicious
|
||
/AA 0 #This indicates the presence of automatic action on opening
|
||
/OpenAction 0 #This indicates the presence of automatic action on opening
|
||
/AcroForm 0 #This indicates the presence of AcroForm which could contain malicious JavaScript
|
||
/JBIG2Decode 0 #This indicates the PDF uses JBIG2 compression which could be used for obfuscating malicious content
|
||
/RichMedia 0 #This indicates the presence rich media within the PDF such as Flash
|
||
/Launch 0 #This counts the launch actions
|
||
/EmbeddedFile 0 #This indicates there are embedded files within the PDF
|
||
/XFA 0 #This indicates the presence of XML Forms within the PDF
|
||
</code></pre></div></div>
|
||
|
||
</section>
|
||
</div>
|
||
</body>
|
||
</html>
|