The goal of this document is to describe the desired user experience for the next generation of "sig" and it's predecessor "git-signatures"
These were useful prototypes but significant improvement is needed before widespread use.
Lance R. Vick lrvick
lrvick
/ pgp-policy.json
Created
January 21, 2022 10:36
Example verification policy for OpenPGP based on arbitrary metadata values present in signatures in value ranges that must come from respective groups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [{ | |
| name: "release-engineers", | |
| min: 1, | |
| members: ['fingerprint1', 'fingerprint2'], | |
| metadata: { | |
| thoroughness: { min: 2 }, | |
| understanding: { min: 4 }, | |
| rating: { present: true } | |
| } | |
| }, |
lrvick
/ macos-harden.yml
Created
November 5, 2021 02:07
Ansible example for best effort automated MacOS hardening
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Check if Previously Run | |
| stat: | |
| path: /var/log/ansible.log | |
| register: ansible_logfile | |
| - name: Enable FileVault2 | |
| filevault: enabled=true | |
| become_user: root |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| func generatePassword(length int) string { | |
| const CharSetIAMPassword = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012346789!@#$%^&*()_+-=[]{}|'" | |
| charSetLength := len(CharSetIAMPassword) | |
| rand.Seed(time.Now().UTC().UnixNano()) | |
| result := make([]byte, length) | |
| for i := 0; i < length; i++ { | |
| result[i] = CharSetIAMPassword[rand.Intn(charSetLength)] | |
| } | |
| return string(result) | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -e | |
| export LC_ALL= | |
| export LANGUAGE=en | |
| function gpg_env(){ | |
| GNUPGHOME=$(mktemp -d -p /dev/shm/); export GNUPGHOME | |
| echo "pinentry-mode loopback" >> "$GNUPGHOME/gpg.conf" |
lrvick
/ secure_crypto_asset_custody.md
Last active
January 27, 2023 04:23
Secure Crypto Asset Custody Requirements
This document seeks to outline a broad set of requirements for crypto-asset custodians based on lessons learned from historical failures to understand and remove attack surface.
It will also assume that not everyone has equal resources or equal risk and as such four incrementally harder security levels to that effect, depending on
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Check if Previously Run | |
| stat: | |
| path: /var/log/ansible.log | |
| register: ansible_logfile | |
| - name: Enable FileVault2 | |
| filevault: enabled=true | |
| become_user: root |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dd if=/dev/zero of="disk.raw" bs=512 count=102400 | |
| mformat -i disk.raw@@1024K -h 32 -t 32 -n 64 -c 1 | |
| mmd -i disk.raw@@1024K ::EFI | |
| mmd -i disk.raw@@1024K ::EFI/BOOT | |
| mcopy -i disk.raw@@1024K /out/boot.efi ::EFI/BOOT/BOOTX64.EFI | |
| dd if=/dev/zero of="root.raw" bs=512 count=307199 | |
| mkfs.ext4 -N 0 main.raw | |
| cat root.raw >> disk.raw | |
| truncate -s "+850M" disk.raw | |
| parted disk.raw \ |
lrvick
/ usb-boot.patch
Created
December 10, 2020 21:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init | |
| index 1369ed1..f576a8e 100755 | |
| --- a/initrd/bin/gui-init | |
| +++ b/initrd/bin/gui-init | |
| @@ -13,21 +13,26 @@ first_pass=true | |
| mount_boot() | |
| { | |
| - | |
| + |
lrvick
/ propaganda.md
Last active
May 7, 2021 08:33
#! propaganda - External media or resources that have influenced or validated our culture in terms of security, privacy, or digital sovereignty.