Skip to content

Development

How the pipeline works

Automatic PDF Generation: - Builds both light and dark mode PDFs from MkDocs source SHA256 Hash Generation: - Creates hash files for integrity verification GPG Signature Signing: - Signs all PDFs and hash files with repository GPG key VirusTotal Scanning: - Automatically scans PDFs and updates release notes Release Automation: - Packages everything into GitHub releases

Architecture

Build PDF Workflow (build-sign-release.yml)

Steps

  • Checkout repository
  • Set up Python and MkDocs Material
  • Install Chromium browser
  • Generate both light and dark mode PDFs with scripts\build_guide_pdf.py
  • Create SHA256 and blake2 hash files in export/
  • Sign all files with GPG in export/
  • Upload artifacts to GitHub Actions manually

SHA256 Hash Verification

How it works

  • Each PDF gets a unique SHA256 hash calculated at build time
  • Hash stored in .sha256 files alongside the PDFs
  • Combined sha256sum.txt for batch verification

GPG Signature Verification

Purpose: Verify authenticity and prevent tampering

How it works

  • Detached signatures created for each PDF and hash file
  • Public keys available in /pgp/ directory

Verification command: 

gpg --import pgp/anonymousplanet-master.asc
gpg --verify export/thgtoa.pdf.sig export/thgtoa.pdf

This workflow is designed for security-conscious users who need to verify the authenticity and integrity of downloaded documents.