Sign emails sent by keyserver

[shuffle2]

It seems natural to sign the messages being sent out :)
Luckily, the api used by keyserver claims to support this already: https://www.npmjs.com/package/nodemailer-openpgp
Adding signingKey to the call here https://github.com/mailvelope/keyserver/blob/master/src/email/email.js#L49 should do the trick.
The keyserver's public key can be hosted by the keyserver itself; the benefit of signing the message is just to give users more assurance of the origin of the message before they blindly click a link which has been sent to them.

[shuffle2]

I've tested it out and it works for signing the verification email.
However, nodemailer-openpgp is made such that it assumes an empty array of encryption keys means the message should never be signed. That makes no sense (and means we can't sign the removal message). So I'll file a bug against that project...
Edit: I guess I won't file a bug since there is no tracker for it.

[cooper2k4]

I just tried the keyserver at https://keys.mailvelope.com/ and this was the first thing I thought too. Send out signed emails. Anything new on this issue?

[dkg]

I agree that it makes sense to sign the mails if possible.

[jiangjiali]

  async _sendVerifyEmail({userIds, keyId}, origin, i18n) {
    for (const userId of userIds) {
      if (userId.notify === true) {
        // generate nonce for verification
        userId.nonce = util.random();
        // await this._email.send({template: tpl.verifyKey, userId, keyId, origin, publicKeyArmored: userId.publicKeyArmored, i18n});
        await this._email.send({template: tpl.verifyKey, userId, keyId, origin, i18n});
      }
    }
  }

文件在 src/modules/public-key.js
在文件的 160行
删掉 publicKeyArmored: userId.publicKeyArmored, 参数就可行收到正确的电子邮件了。