The Web Key Directory (WKD) is a standard for discovery of OpenPGP keys by email address, via the domain of its email provider.
The following command can be used to test/import a key via WKD.
gpg --locate-keys --auto-key-locate clear,nodefault,wkd address@example.org
(via)
Added a -f flag to the pgp-expiry-monitor tool.
It takes the fingerprint of a PGP key and looks it up on keys.openpgp.org to get the keyfile to verify.
% pgp-expiry-monitor -f 401F1D483C69BF624364CC01E9A68DCFA3A54203 -v Key A3A54203 (401f1d483c69bf624364cc01e9a68dcfa3a54203) expires on 2030-04-13 Key 29A48884 (1e8838bdcf9adf702496866f6baf170e29a48884) expires on 2025-10-15 Key B645E283 (47122b88b77ece545effb494498ea9eab645e283) expires on 2025-11-17 Key 93DDE912 (2f21f0dd9af127d61363423d4099876b93dde912) expires on 2027-04-24 Key 0240ACAF (a1f4c70962f89c2e628e8f05d29a32fd0240acaf) expires on 2026-04-09 Key 0B691623 (0d0bc31f58b8d18cb97c31eeebd187b60b691623) expires on 2027-04-13 Key 3AB76067 (43a83177a4ec64a62bae1ac77d779e883ab76067) expires on 2026-04-09 Key 7AE809A1 (9a6d5dbde2703d7c54806f1b5acb66c47ae809a1) expires on 2027-04-13
Hallucinated package names fuel 'slopsquatting'.
All that's required is to create a malicious software package under a hallucinated package name and then upload the bad package to a package registry or index like PyPI or npm for distribution. Thereafter, when an AI code assistant re-hallucinates the co-opted name, the process of installing dependencies and executing the code will run the malware.
(via)
To ensure I don't forget to rotate/extend one of the subkeys of my PGP key, I created a little monitoring tool.
I wanted something that reminds me well before my published PGP key shows sign of expiry.
And I wanted it built in a way so it can be used in a simple cronjob to continuously nag me until the expiring key has been replaced. 😈
So pgp-expiry-monitor was born.
It takes two parameters, the URL of a PGP key and the number of days in advance it should start warning.
If all is fine and the PGP key does not contain any expiring keys, it returns without any output.
Thus ideal for a cronjob.
Discovered a very helpful debugging utility: GPG/PGP Decoder
The hosted version helps to quickly find out which subkey was used to sign a message.
I used it to check that this signature contains the fingerprint and ID of my new subkey 🔐
One of my yearly digital routines is to update my GPG key.
Part of this involves adding new ECC subkeys (ECDH and EdDSA).
These are the commands I used this time (so I don't have to look them up again next year).
% gpg --edit-key 401F1D483C69BF624364CC01E9A68DCFA3A54203
gpg> addkey Select number 10 ECC signing Select number 1 Curve 25519 Select a validity of 2y
gpg> addkey Select number 12 ECC encryption Select number 1 Curve 25519 Select a validity of 2y
gpg> save
After this the new subkeys are available and the updated public key can be exported and published.
TIL: With iOS 18 a new feature was added to lock or hide apps.
Apps can be locked so that they require the passcode or FaceID to be opened.
And they also can be hidden so that they no longer appear on the homescreen.
Lock or hide an app on iPhone - Apple Support
(via)
zkbro discovered the nice Blanket web version of the Blanket Gnome/Linux app. Provides you with a selection of ambient sounds. Ranging from Nature over Travel, Interiors to Pink/White Noise.
50 ways to rest – Nicola Jane Hobbs
For anyone else who is in a season of their life where naps and hot baths and yoga classes are inaccessible, we can still rest. We might not be able to get the rest we truly need, but we can find little pockets of respite among the demands and responsibilities of our lives.
(via)
Hubble explores the universe 24 hours a day, 7 days a week. That means it has observed some fascinating cosmic wonder every day of the year, including on your birthday.
What did Hubble look at on your birthday? Enter the month and date below to find out! What Did Hubble See on Your Birthday? - NASA Science
My birthday picture is of the Whirlpool Galaxy:
(via)