The Hitchhiker’s Guide to Online Anonymity

How I learned to start worrying and love privacy anonymity

The latest Version is v1.1.1. See the changelog.

Home View Online PDF (Light) PDF (Dark) OpenDocument Donate Repository Keyoxide Twitter Mastodon Links About
GPG Key Fingerprint: EB16 B6AB 4AB7 BA61 F33E 2DFD 0051 E9A5 89DA B601 / Minisign public key: minisign.pub

How to check the files for safety/integrity and authenticity.

The PDF and ODT files in this guide are cryptographically signed using GPG and Minisign. Their integrity can be verified with the published SHA256 Chrecksum Hashes on this website.

SHA256 Checksums of all the PDF and ODT files are available here in the sha256sum.txt file.

SHA256 Checksums, signatures, and virustotal checks of the releases files (containing the whole repository) are available within release information at https://github.com/AnonymousPlanet/thgtoa/releases/latest

The GPG signatures for each PDF and ODT files are available here:

The Minisign signatures for each PDF and ODT files are available here:

How to check the integrity of the files using the SHA256 Checksums:

Please do the following:

Windows:

MacOS:

Linux:

All commits and releases on this repository are cryptographically signed and verified using the same GPG key. Check for the “Verified” tags on each commit or release.

How to verify the the authenticity and integrity of the files using GPG:

Now to verify the files with GPG signatures, you should first install gpg on your system:

Import the GPG key using the following command from a command prompt or terminal:

gpg --auto-key-locate nodefault,wkd --locate-keys 0xEB16B6AB4AB7BA61F33E2DFD0051E9A589DAB601

In theory this command should fetch the key from the a default pool server. If this doesn’t work, you can also download/view it directly from here: https://anonymousplanet.org/AnonymousPlanet_0x89DAB601_public.asc [[Mirror]][12] [[Tor Mirror]][14]

For redundancy, you can also verify the authenticity of this GPG signature using:

As well as the published key on (search for the fingerprint 0xEB16B6AB4AB7BA61F33E2DFD0051E9A589DAB601):

You should then import it manually by issuing the following command on any OS:

gpg --import AnonymousPlanet_0x89DAB601_public.asc

Finally, verify the asc signature file (links above) against the PDF files by issuing the following commands:

gpg --verify guide.pdf.asc guide.pdf" gpg --verify guide-dark.pdf.asc guide-dark.pdf"

This should output a result showing it matches and it’s ok.

How to verify the the authenticity and integrity of the files using Minisign:

To verify the files with Minisign:

How to check the safety of the files using VirusTotal:

The PDF and ODT files in this guide have been checked by VirusTotal, see the links below but do not trust them blindly and check the hashes matches and re-upload to VT if needed (Note that this guide does not endorse VirusTotal. It should be used with extreme caution and never with any sensitive files due to their privacy policies):

Additional manual safety checks for the PDF files:

For additional safety; you can always double check the PDF files using PDFID which you can download at https://blog.didierstevens.com/programs/pdf-tools/ (You might be wondering why should trust a random python script? Well it’s open-source and well-known. It’s probably a safer bet than trusting a random PDF).

Here are the steps:

python pdfid.py file-to-check.pdf

And you should see the following entries at 0 for safety, this 0 means there is no Javascript or any action that could possibly embed malicious scripts. Normally this won’t be neceessary as most modern PDF readers won’t execute those scripts anyway.

/JS                    0 #This indicates the presence of Javascript which could be malicious
/JavaScript            0 #This indicates the presence of Javascript which could be malicious
/AA                    0 #This indicates the presence of automatic action on opening
/OpenAction            0 #This indicates the presence of automatic action on opening
/AcroForm              0 #This indicates the presence of AcroForm which could contain malicious JavaScript
/JBIG2Decode           0 #This indicates the PDF uses JBIG2 compression which could be used for obfuscating malicious content
/RichMedia             0 #This indicates the presence rich media within the PDF such as Flash
/Launch                0 #This counts the launch actions
/EmbeddedFile          0 #This indicates there are embedded files within the PDF
/XFA                   0 #This indicates the presence of XML Forms within the PDF