🏴‍☠️ skull-squadron

How to correctly use a hardware random number generator (hwrng, trng) on Linux 5+ (Debian 12+)

Problem

Linux entropy pool doesn't know about external, non-default, non-driver entropy sources.
Modern Linux usually reports 256 for cat /proc/sys/kernel/random/entropy_avail. This has to do with the entropy pool rewrite sometime ago that prevented blocking of /dev/random.
There is presently no userland entropy pool seeding "pull" mechanism.

Solution

set -e, -u, -o pipefail

The "set" lines These lines deliberately cause your script to fail. Wait, what? Believe me, this is a good thing. With these settings, certain common errors will cause the script to immediately fail, explicitly and loudly. Otherwise, you can get hidden bugs that are discovered only when they blow up in production.

set -euo pipefail is short for:

set -e
set -u

How to generate a sha512 hash suitable for /etc/shadow using Mac OSX

$ sudo easy_install pip
$ pip install passlib
$ python -c "from passlib.hash import sha512_crypt; import getpass,string,random; print sha512_crypt.using(salt=''.join([random.choice(string.ascii_letters + string.digits) for _ in range(16)]),rounds=5000).hash(getpass.getpass())"

Quick GPG Smartcard Guide

We will generate a master key with only the Certify capability and three subkeys with each of the Sign, Encrypt and Authenticate capabilities. These latter three keys are meant for daily use and will be transferred to an OpenPGP smartcard, which has three corresponding slots. The master private key can then be moved to offline cold storage, or stored on a second smartcard.

We are generating keys on a secure computer instead of on the card, because it allows more flexibility. Ideally this means a machine running Tails or one that is air-gapped and not connected to the internet.

This guide assumes that if you want to sign other peoples keys, then you will require the aforementioned secondary smartcard with your master key stored in its Signature slot, or if you only have one smartcard, then you'll have to fetch the master key out of cold storage. By default, GPG generates a master key with the Certify and

	#/usr/bin/env bash
	set -Eeuo pipefail

	REV=2024
	SPECFILE=
	trap 'e=$?; trap - EXIT; [ -z "$SPECFILE" ] \|\| rm -rf "$SPECFILE"; exit $e' EXIT
	SPECFILE="$(mktemp)"

	cat >"$SPECFILE" <<HEADER
	Name: texlive-FAKE

	[reload]
	command:/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables_blk.lock /usr/home/blacklist-update.sh
	parameter:
	type:script_output
	message:IP Blacklist Update
	description:Centralized Blacklist IP Update from my own service

	#/bin/bash

	set -e
	SPECFILE=texlive17.spec
	cat << EOF > "$SPECFILE"
	Name: texlive-FAKE
	Version: 2017
	Release: 4%{?dist}
	Summary: Dummy wrapper for manual texlive install
	License: Artistic 2.0 and GPLv2 and GPLv2+ and LGPLv2+ and LPPL and MIT and Public Domain and UCD and Utopia

	$ ./configure --help
	`configure' configures this package to adapt to many kinds of systems.

	Usage: ./configure [OPTION]... [VAR=VALUE]...

	To assign environment variables (e.g., CC, CFLAGS...), specify them as
	VAR=VALUE. See below for descriptions of some of the useful variables.

	Defaults for the options are specified in brackets.

	console.log(1);
	(_ => console.log(2))();
	eval('console.log(3);');
	console.log.call(null, 4);
	console.log.apply(null, [5]);
	new Function('console.log(6)')();
	Reflect.apply(console.log, null, [7])
	Reflect.construct(function(){console.log(8)}, []);
	Function.prototype.apply.call(console.log, null, [9]);
	Function.prototype.call.call(console.log, null, 10);

	require 'bundler'
	require 'active_model_serializers'
	require 'roar/decorator'
	require 'roar/json'
	require 'rabl'
	require 'jbuilder'
	require 'benchmark'
	require 'ffaker'

	Post = Struct.new(:id, :author, :body, :draft) do