Skip to content

Instantly share code, notes, and snippets.

Phil Pennock philpennock

View GitHub Profile
#!/usr/bin/env python3
time_render: render time as given on cmdline
Convert epoch time (default) to something human-readable.
Handle obscenely large numbers.
# DNS uses u_int48_t (for TSIG) which is seconds since Unix epoch.
#!/usr/bin/env bash
set -euo pipefail
# Switched to bash so that we could bind variables for GraphQL
# * Rewrite in Go
# * Handle paging, iterate
# * Consider session keyring with timeout for caching PATs if had to be pulled from PGP-encrypted files
# * see if there's a Go implementation of the jq language
# * ability to take graphql queries from files/fds and munge into the correct
# format.
philpennock /
Last active May 8, 2020
Bash script, using dig & curl, for reporting DNS and a few HTTPS policy files for everything email about a domain
#!/usr/bin/env bash
# Copyright 2020 Pennock Tech, LLC
# No warranty, this is a proof-of-concept not a final product.
# MIT-style license.
set -euo pipefail
# This might need to switch to another language for concurrency and handling
# the queries which are rarer, but this is a decent start as a proof-of-concept.
philpennock / linode-known_hosts
Last active Mar 9, 2020
Linode LISH known_hosts for OpenSSH
View linode-known_hosts,,2600:3c02::f03c:91ff:fe93:e3bb ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC1YiyKqGc3i93G+/uzaHkNBm/GmwgkSoHBJD6CNam8dTo2zLZjCOBipb4OjbCHk3Nk6JrjC/at9H+iN7H7m8Vo=,,2600:3c02::f03c:91ff:fe93:e3bb ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMm+yFvNDZoSTVaQguo6HWCEHnUWHGbN2TdGWm2Mt9rY,,2600:3c02::f03c:91ff:fe93:e3bb ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVkOduQVZUDg6HBPWWjrRa7d45yJyZYfwu4/yqIRowZjoCAQ1ktJcvXg0ABGaQTPmc4dHrQa4pZmAkZRrBgu/xtdl3b9PLY1xQltmJAgYJ2z4SjJQFk7qZLjv2IqMJM7wOwjCLo92rCBk78cIWr0jl1f5qE+i63CH0E3P6k8tD+t+y1RU3Kwx4h1It3tPa45wqLuBsFFgmPfc0ztwYOjONUJGoRK7k4q198gRWmO6mEBTeOJkigfhuPb+BW53m9p1jLuCIP+BwMoG3kB8e0ZKq17IS/Y59+POfqIaFqQC50AAJwZsks2DZYWJPEql6XSgX4WW0IH7KG1m17j5r2xO1,,2600:3c00::f03c:91ff:fe93:2fd7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGlT+WXbL+tUi40riCGUeYmNboTCGOgJgbYESmBfwP71aX9Mjm1Y44
philpennock /
Last active Jan 31, 2020
Two versions of "how to refresh PGP keys with gpg via WKD/external"
#!/usr/bin/env bash
set -eu
# Warning: we assume that the input of the list of domains to refresh is
# trusted, and free from abusive characters. So the only adjustments for using
# within a PCRE regexp we apply is "escape the dots to be literal".
progname="$(basename "$0" .sh)"
die() { printf >&2 '%s: %s\n' "$progname" "$*"; exit 1; }
usage() {
philpennock / tflint
Created Jan 16, 2020
Bash wrapper to invoke tflint docker container
View tflint
#!/bin/bash -eu
philpennock / aws-vault-unlock
Created Jan 13, 2020
CLI tool to unlock the XDG Secret collection used by 99designs/aws-vault
View aws-vault-unlock
#!/usr/bin/env python3
# Copyright © 2020 Pennock Tech, LLC
# SPDX-License-Identifier: MIT
aws-vault-unlock: unlock (or lock) the awsvault libsecret collection
The XDG folks specify the Secret service available over D-Bus.
When everything works right, 99designs/aws-vault trying to access a locked
philpennock / perlgssapi-code_GSSAPI_fix-macOS-heimdal.patch
Created Jul 24, 2018
perlgssapi GSSAPI module patch to fix compilation on macOS
View perlgssapi-code_GSSAPI_fix-macOS-heimdal.patch
Index: GSSAPI.xs
--- GSSAPI.xs (revision 73)
+++ GSSAPI.xs (working copy)
@@ -6,6 +6,8 @@
#define __GSS_KRB5_NT_PRINCIPAL_NAME &mygss_nt_krb5_principal
#define __gss_mech_krb5_v2 &mygss_mech_krb5_v2
#!/usr/bin/env python3
import sys
import time
def foo():
philpennock / SKS Privacy
Created Jul 13, 2018 Privacy text, pre-termination
View SKS Privacy
There are three categories of data relevant to privacy here: the public keys stored; the HTTP/HKP requests made to access/upload/retrieve those keys; what I as a keyserver operator might do with those requests (logs).
For the public keys: the SKS keyserver pool, run globally by disparate individuals with no formal affiliation, is currently an append-only store, designed to protect against attempts to remove data. Once a key has been uploaded, that data is part of the public record, designed to allow anyone to attempt to verify the name binding within the key, using the public attestations by others about the identity of the key (key signatures). Keys not intended for public disclosure should not be uploaded, nor shared to people who might upload the keys of others. Note that there's no protection against fraudulent keys, with bindings of any name to any email address, and there is no basis to believe any such pairing without first proceeding through evaluation of the public attestations.
The reques
You can’t perform that action at this time.