Skip to content
Never blindly trust anything you download.

Verify ReleasesSignatures. Hashes. Trust nothing blindly.

Every release is GPG-signed and hashed. Verify before you read.


What We Publishλ

PDF Guide

thgtoa.pdf and thgtoa-dark.pdf — the full guide in light and dark mode. The only canonical single-file export.

Latest release

Detached Signatures

.asc files for every PDF and hash file, signed with the Release Signing Key (RSK). Verify with gpg --verify.

Our keys

Hash Files

sha256sums.txt and b2sums.txt for integrity. Both are also signed. Check with sha256sum -c or b2sum -c.

Manual steps

Quick Verificationλ

# Verify everything — hashes, signatures, and optionally VirusTotal
python scripts/verify_pdf.py --all

# Hashes only
python scripts/verify_pdf.py --hashes

# GPG signatures only
python scripts/verify_pdf.py --signatures

# VirusTotal scan status (requires VT_API_KEY env var)
python scripts/verify_pdf.py --vt

Manual Verificationλ

1. Import the keyλ

gpg --import pgp/anonymousplanet.asc

Verify the fingerprint against our PGP page and GitHub releases before trusting it.

2. Verify the PDFsλ

gpg --verify export/thgtoa.pdf.asc      export/thgtoa.pdf
gpg --verify export/thgtoa-dark.pdf.asc export/thgtoa-dark.pdf

Expected output:

gpg: Signature made Sun 31 May 2026 03:23:26 AM EDT
gpg:                using EDDSA key C3023DBEA3FB38C438BA1EEDCEC60AEDE8B992A2
gpg: Good signature from "Anonymous Planet Release Signing Key" [ultimate]
Primary key fingerprint: C302 3DBE A3FB 38C4 38BA  1EED CEC6 0AED E8B9 92A2

About the WARNING

WARNING: This key is not certified with a trusted signature is expected. It means the key has not been co-signed by another key in your web of trust — not that the signature is invalid.

3. Check hashesλ

sha256sum -c sha256sums.txt
b2sum     -c b2sums.txt
Get-FileHash -Algorithm SHA256 export\thgtoa.pdf | Select-Object Hash
# Compare with the value in thgtoa.pdf.sha256

4. VirusTotal (optional)λ

export VT_API_KEY=your_vt_api_key
python scripts/verify_pdf.py --vt

Or open the VirusTotal report URLs listed in the release notes directly.


Troubleshootingλ

"Good signature" but wrong owner? Ensure you imported the correct key from pgp/. Check the fingerprint matches the RSK: C302 3DBE A3FB 38C4 38BA 1EED CEC6 0AED E8B9 92A2.

Hash mismatch? Re-download the file. Verify you are using the correct hash file for the edition (light vs dark). Check for disk errors.

GPG not installed?

Platform Command
Debian / Ubuntu sudo apt install gnupg
RHEL / Fedora sudo dnf install gnupg2
macOS brew install gnupg
Windows Gpg4win