Right now, in order to update a key's expiry date, you need to remove the key, and re-upload it with the new expiry-signatures.

It would be nice if the keyserver would detect these signatures, and update the key accordingly. User verification would not be required in my opinion as you need access to the private key in order to update the expiry date.

Basically the above, I can't revoke a key with my email address, I get the follow error:

Error! User id not found

Version 2.4.0 of koa was just published.

This version is covered by your current version range and after updating it in your project the build failed.

koa is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

It's possible to attach arbitrary third-party certifications to an already-validated OpenPGP certificates that are published on hkps://keys.mailvelope.com simply by uploading the augmented certificate to the "Manage Keys" web form. Some OpenPGP keyserver clients will reject too-large certificates when fetched from a keyserver.

This means that an anonymous user can attach garbage to an OpenPGP certificate, potentially bloating it in size beyond what clients will accept. If there is a limit to the quantity of third party certifications attachable to any given certificate, then the anonymous user can fill that limit, obstructing anyone else from attaching certifications.

This is a similar attack to one of the attacks that have been mounted against certificates hosted by the SKS keyserver network.

To fix the problem robustly, you'll either need to stop accepting third-party certifications entirely, or figure out some authorization scheme about which third-party certifications are acceptable for any given certificate. I'm happy to demonstrate the attack for any of the Mailvelope developers privately, and to talk over the options for mitigation of the issue.

sorry to be the bearer of bad news!

Clicking on the button "Try it now" on the mailvelope keyserver's homepage (https://keys.mailvelope.com/) leads to a page not found (https://keys.mailvelope.com/ui.html) error.

https://github.com/mailvelope/keyserver/blob/master/src/app.js#L68
Currently keyserver adds a bunch of headers which are not really it's place to manage, especially if it's running behind a reverse proxy, which appears to be the intended scenario anyways.
For example, the current keyserver does not support serving HTTPS itself and yet it is setting HSTS and HPKP. IMO these should be handled by the reverse proxy. Any headers keyserver sets should be considered only for the [keyserver <-> reverse proxy] connection.

I am using gmail and wanted to create a new key pair for sending emails.
I can receive the email to verify the key. After entering the password I receive a "User id not found" in the Firefox.
After that I tested the same procedure with Chromium. It works there.
So that isn't any bug of the operating system.

Link to "User id not found": https://keys.mailvelope.com/api/v1/key?op=verify&keyId=e060293bba13aefb&nonce=5c42fe37d73d48b2ae6f82f9bc457515

Firefox version: 60.2.2esr (64-Bit)
Operating System: openSUSE Leap 15.0

RFC 7929. See mailvelope/mailvelope#412

Version 10 of Node.js (code name Dubnium) has been released! 🎊

To see what happens to your code in Node.js 10, Greenkeeper has created a branch with the following changes:

• Added the new Node.js version to your .travis.yml
• The new Node.js version is in-range for the engines in 1 of your package.json files, so that was left alone

If you’re interested in upgrading this repo to Node.js 10, you can open a PR with these changes. Please note that this issue is just intended as a friendly reminder and the PR as a possible starting point for getting your code running on Node.js 10.

Your Greenkeeper Bot 🌴

can't 'Upload Public Keys to Keyserver' from Enigmail
I get the response:
'Sending of keys failed'
Enigmail version 2.0.8 (20190203-0951)

Similar to:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.5
Comment: Hostname: keyserver.ubuntu.com

Version 1.29.1 of config was just published.

This version is covered by your current version range and after updating it in your project the build failed.

config is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

Hello dear team,

I've implemented Mailvelope Key Server from github on my private network and I'm using it together Mailvelope for Firefox (as a convention, whenever I quote Firefox, it should be interpreted as Mailvelope in Firefox; in addition, the key server configured and saved is my private server). So I'm having some problems. I thank you for some help:

First doubt is: I defined as a key server in Firefox, my private server. Also, I have exported to the key server some public keys to make tests. The problem is that when I'm going to import the server key using Firefox, this process does not work correctly (I think) because the server does not return a complete public key block; the server returns only the block like below:

information: 1: 1
Pub: 8A9B02981524A29C09585570B1EC5D10B5D256F8: 1: 2048: 1549892665 ::
uid: Regivaldo% 20G.% 20Costa% 20% 3Crcosta% 40rclabs.com.br% 3E :::

Next one is: using text encryption in Firefox, when I add a recipient stored on the key server, the public key is not found. I have monitored the server communication using tcpdump, but in no time, the Firefox package arrives. But even set the key as my private server, Firefox always does query to keys.mailvelope.com, never to my private server (except when I'm using the "Key Management -> Import Key" option and result is wrong like above.

Last one is: how I put the server to work using HTTPS. The only port listed when the server is started is the default, that is, the only port in listen is the 8888). I'm using the configuration shown in github, of course using my environment settings.

Thanks in advance for any help.

Kind regards.

Regivaldo Costa

Hello,

When I am trying to add my companies internal key server, it does not allow for a port to be added at the end of the address using a : . This pretty much makes the app useless for enterprise type environments wanting to test out your application addon.

When can we expect a fix?

How is one supposed to interact with the mailvelope keyserver via the gpg tools (command line). The usual command is:
gpg --keyserver hkps://keys.mailvelope.com --search-keys ...
if I use an email address which is uploaded on the mailvelope keyserver (eg. my own one) it doesn't find it. What am I doing wrong?

Hi,

after upload of key 6E0A 4E90 3241 34F0 2788 445D 044A 25F5 267D C236 the keyserver threw an error message that went something like "email could not be sent", reducing the key via gpg --armor --export-options export-minimal --export 6E0A4E90324134F02788445D044A25F5267DC236 resolved the issue.

My best guess would be that the issue is due to the attached photo user id, but it might be something else as reproduction with a random other key with photo id failed.

Sorry for vague error report. I will put better details when I set up my own mailvelope keyserver. But maybe this already helps to find the issue?

Sincerely,

Malte

keyserver currently serves bootstrap.min.css and jquery-3.0.0.min.js from off-site.
For the paranoid, this is no good as the client browser will happily access these resources (sending referer headers and such).
After moving the resources to be local, the CSP ( https://github.com/mailvelope/keyserver/blob/master/src/app.js#L78 ) can be removed as well.

The devDependency supertest was updated from 3.3.0 to 3.4.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

supertest is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Version 2.4.0 of winston just got published.

This version is covered by your current version range and after updating it in your project the build failed.

winston is a direct dependency of this project this is very likely breaking your project right now. If other packages depend on you it’s very likely also breaking them.
I recommend you give this issue a very high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

Version 2.2.32 of mongodb was just published.

This version is covered by your current version range and after updating it in your project the build failed.

mongodb is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

Currently, when a user clicks on a link sent in the verification email it it just says:

Email address successfully verified!

It would be more user friendly to show data about the key (or at least the email address) being verified. Reason being, a user can "see" a result of the confirmation e.g. their key's data

It seems natural to sign the messages being sent out :)
Luckily, the api used by keyserver claims to support this already: https://www.npmjs.com/package/nodemailer-openpgp
Adding signingKey to the call here https://github.com/mailvelope/keyserver/blob/master/src/email/email.js#L49 should do the trick.
The keyserver's public key can be hosted by the keyserver itself; the benefit of signing the message is just to give users more assurance of the origin of the message before they blindly click a link which has been sent to them.

I'm using keys.mailvelope.com hkp protocol, but it can't find my key even though the website interface works fine.

Perhaps I am stupid or this is a GnuPG issue:
As the keyserver should be HKP compatible, it should be possible to query a key with GnuPG.
Using GnuGP 2.2.5 I tried many variations of the command line (with hkp://, with https://, without prefix, with port, with no port, ...).
But I cannot get any key result.

Is it my fault or a GnuPG issue.

If it is my fault, please provide a command line for use with GnuPG.

Thanks

Version 4.0.2 of koa-static was just published.

This version is covered by your current version range and after updating it in your project the build failed.

koa-static is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

I am new to node.js (so probably something better should be done), but I'm using the following on my server:

diff --git a/src/app.js b/src/app.js
index a37291f..4a14eef 100644
--- a/src/app.js
+++ b/src/app.js
@@ -30,6 +30,8 @@ const PGP = require('./service/pgp');
 const PublicKey = require('./service/public-key');
 const HKP = require('./route/hkp');
 const REST = require('./route/rest');
+const fs = require('fs');
+const https = require('https');
 
 let mongo, email, pgp, publicKey, hkp, rest;
 
@@ -123,7 +125,12 @@ function injectDependencies() {
 if (!global.testing) { // don't automatically start server in tests
   co(function *() {
     let app = yield init();
-    app.listen(config.server.port);
+    let https_options = {
+      key: fs.readFileSync('privkey.pem'),
+      cert: fs.readFileSync('cert.pem')
+    };
+    https.createServer(https_options, app.callback()).listen(config.server.port);
     log.info('app', 'Ready to rock! Listening on http://localhost:' + config.server.port);
   }).catch(err => log.error('app', 'Initialization failed!', err));
 }

This is because keyserver is running on a different machine than the reverse proxy (which has the HTTPS server actually talking to the browser client), and I wish to avoid the "https added and removed here" problem.

I wondered if the private key can remain persistent - e.g. if I create a key on on device within my chrome browser and then logout and in at another device if this can follow me - my thought might be to have the key in a home drive or in the case of chrome os it link to a google drive location ?

presently when I move from one device to another I have to re-import my private key before I can send secure mail.

Hi there,
maybe a little howto section for the steps to take when someone wants to host this nice piece of software on e.g. an Apache would be cool. Especially when the person is not that familiar with Javascript build/dependency mgmt. tools like npm.
Kind regards, David

It would be really great if you would add email lookup via hkp. I am using hkps://keys.mailvelope.com as keyserver in Enigmail but it doesn't find any keys.

I don't upload my public key to a normal keyserver because this exposes my email address to spammers. Right now your keyserver perfectly prevents this as one can only lookup by email (and not by name, nor just syncing the whole database) -- can you ensure that you will stick to this behavior in future?

It's really helpful to users to be able to lookup keys by name as well as email field!

Version 2.5.11 of openpgp just got published.

This version is covered by your current version range and after updating it in your project the build failed.

openpgp is a direct dependency of this project this is very likely breaking your project right now. If other packages depend on you it’s very likely also breaking them.
I recommend you give this issue a very high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

I haven't found anything on this topic. So is it possible to sync. keys from other keyserver with my instance of Mailvelope keyserver?
If not why?
If yes how?
Thanks.

My system for deployment: Ubuntu 18.04 LTS

What I did so far:

1. Installed MongoDB for Ubuntu like described here: https://docs.mongodb.com/manual/tutorial/install-mongodb-on-ubuntu/
2. Created a MongoDB user for the keyserver database
3. Installed node like described here: https://github.com/nodesource/distributions/blob/master/README.md#installation-instructions
4. Cloned this repo
5. Set the configuration variables via npm config set <key> <value> -g as required (see: https://github.com/mailvelope/keyserver#production)
6. run npm start

This results in the following error message:

> [email protected] start /var/www/html/keyserver
> node index.js

info: cluster -> Forked worker #1 [pid:17830]
info: mongo -> Connecting to MongoDB ...
error: app -> Initialization failed!, MongoNetworkError: getaddrinfo EAI_AGAIN undefined

I was not able to synchronize one of my key from mailvelope saying the email could not be sent.

I went directly to https://keys.mailvelope.com/manage.html to upload it (after successfully uploading it to the ubuntu keyserver).

When pasting the following key I get error Error! Encrypting message for verification email failed.

I use gpg --armor --export BB6DE122BAC91D1260B68C73A82ED75A8DFC50A4 to export the key.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFIOL04BD/98/CNoui2QplqqyejVnehCrFL0MHLV8ilNNG9Ft/j1QA9A19TD
MuyqrU7BnalSQ3yl+uX1UK3y2rZX6kLNnozD21r/91kBvZwG3CcVNmyu+P2fLNyd
2UVQhDiZ1ebiEOW+W2xtxqU15ILK5c5u1QbTUqwHyNkSUWavNoT/BHP/Br4Z2/uk
WaslFYh1SnSS+WdVu6Oj1/OOOMUWe2eWgH+Eu6725JO+8lkK1XOt7kx4pKjiLQpF
7+x79aNPZhXrO9lqPQG3bjHE8k+2OeqzMImWxLDCFTnJQGSw11k9VNxCrnHEADQZ
Yq42O0AQuudDi9bo2UCPiCGbg+OAOOjcQst/FCbRHUL929HPwKkm1yiWwXDuHGHx
rCUEHxIEaeuWQntpOtgFdvoRACUZv58Di/XiFUd6zJCE4SR5RwdxD/SbxfFuo1v8
I+r/YH8We3miuoZ5fXNryJMO8ZeAmZpNNjvps/KtK4rKdQq/Cish5VQGMD6NMiOj
g/XeeFmHKXCi7Xx7DGJIWvq5Zt/6+6B0aaOHfzd4a6b1hfK9sDOJNANhk1Pl9AMe
xw4OSre+25+zocLYlRmVWlQz44na7kd78cfLOa8PJFAgsjtKvl6NnqrhRY33t/w2
Ze0t7O7xx7Ry9NHNWOo77C9UDMtWmAmrgroFPfsJ13+hNj3AvhRbujDVJQARAQAB
tCVGcmFuY2sgUm95ZXIgPHJveWVyLmZyYW5ja0BnbWFpbC5jb20+iQI5BBMBAgAj
BQJUSHElAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQqC7XWo38UKR1
BQ/+OpHUSkm7TI0HO7hkhX5hnl4dS9o5G8euKocqg9wYFFkixdIIkCB/+gm+Bwsu
aFeAvM7UkErIjCqlf6HEKqj3iDPOd/2eHoo3/8EOPy7CW98EI4iM1TNmJjQnQcxA
JqbP3/tehlpn2JS+lUXx6YyFx9stcB34P1KS3p+7JUzMrKYe/PmGCEB34SpCoGxm
yZpF4a97Lqbgj3Sf9EPY2O0Vp6UAYWCVN7NY7LryxO25bNvitIbuI80sRDn1EHDJ
ueOKjhzCiZjPRZARqREtubMEkag2nS1PQ9FOxayvrNqEDzOD6rfId4bhz+jMnPuy
QpMkCqB87wgL5fRB/p7xm+RpRoAeiubibP6bmmEKDbLPTnQEES4Si1ANTUV+3Rbz
thVzszMI566GpjqjBAWF63SnQdO6CEPlmLxtXmypIEhlvvPbIUxXrXanxfiH0aSA
SvomZmoVGCqw/EKnQMwjrYknJU4gQBBQNtgLB7eHW4yJy544P3uHTQre0KrddL2h
J962VOmoZOZqcn/ACOIp9DvHscK0UGt9FwtO3zl27051Jl+mEwisymDXgMo8qvn2
px3DEQx7M6YTJtFIyaPc4w631HUhDq0bmxj/4Fc36V7mXojDibQEBknbKfnW78Ru
3ExP+CwgHa9P2YOPZ3hJBc4OO3mtTgGode5r1ypOkx6VF5yJAk8EEwEIADkCGy8C
HgECF4AGCwkIBwMCBhUIAgkKCwQWAgMBFiEEu23hIrrJHRJgtoxzqC7XWo38UKQF
Al2dnE4ACgkQqC7XWo38UKS0rA/8CI2saZ0/k/73adwt/fFyu3UI59qpT/H2rqkL
xIpdBsjUwx3inVGIFhTs/J0c9lCJISa3BE5kGOwcP5PgOQPaDBFPMDiYMbkU7a7Y
P1Y2wgSzS7BK4kg/q+2TbrDoQUCEyqELvz3aVc81ZOw/fSrOmDaqVFbGsHpckcoq
qTI8SAIw/1l/7AUMgZMy753j8SfjH6cqaVq5OqilURB/Zunl6fhd35b9oExz62kX
mrXA1zCZ+bl6oRfmLDJjfcU6TVZzgslrBiEF6gnNfx+QCSiUkJQSe+kYMwej8b1E
H7lHxRO1EusanbeitADzjRQF3lPdjprC0RKQ8RLKtHyp6dkOshf5+qlUM0TQ8dEV
ZJHNlpYKNWtsVj+w0Ql043K2N+qjpnjLVQxiECwm23HA6jSWuTEjdY2csq5ahfQ6
ZPAdOqUS0ZspiJ7ntI0ABTj15beih26pD+P3k96mXiiHIZGTNoskfnPpehmRbs3V
DUyz431MdMh+py9yVyZiKtcq4AuFDAjA1htar5m5rDqukTrZOyqz6Ovgk+sjYFoG
hzezSZKmiqOqJtuzZnB3M/yPkj/Kbvmy8HeUB/EXkaxUIIUXYXl5mvcXZ65y5EBo
m+Hox9S79ADaGMgm/2jWbdAFxzU24yLlryXawaI6OUJCgMCGX5yDcIVOJBoNXrmW
gUe4OD60I0ZyYW5jayBSb3llciA8bWFpbEBmcmFuY2stcm95ZXIuZnI+iQImBBAB
CAAQBQJSDi+xCRCoLtdajfxQpAAKCRCoLtdajfxQpH/rD/wIWz4NUFmhshWOAnpp
ut0i75y5Q7RHEvCowPlDsSzYEEOJdO2U5+1PccnslAM4bl8gxTsmIexjM3HnCArY
zlZBzwgzfJdUWrpqnYYIMY58jZEZyfgDfS6JP/qcbuuwLa8DPjU5qVfzvNBzDkHP
mkyMC2lgPUkdDF85qzM6eLSni321Ad4IJk08trKNvEqykT/o8pdTWxMl3nxkB7Y5
d3cOD+DPOqsN0r49GRN5MgyqOa+BTbxqCXA/fvzSNmLZu2e7imEkQ42cPLVlq8P/
HVV82q5Lq0XhFHaq2RwlqNqT6M7SLX+GL8HK/5ClwG8oRqepwEM9s1tPNQm4s3cY
Bf6xBa85LiUJrbKvIqiEkC9KinUoryp1ymHLWZ8HBz/Mc1u740zjIVv5lGsii8Pd
vFr7E7avYvcCAEJtUA73EFN4Gu4wjRSdvSoKOzyQNwArUBHoWhnHdPeOYFQAbC98
F5IKt7ShqelX4g2JzBMLBZnrqky//vhgj8TMQ6MYASfT2iDZzGpDr5non7BqC5Nx
NzmK/3tYZMCbk3jwW9sy9S+gQwhJwu9KswafKrLSzPqHzQH2/KspWjeF5rSy4T37
ch1yH4l0VtWuG3LyMbD59n/o84cQcq4myiNE7bI1RDNIw59OS5OzqvrzxqCXy4WF
BXlXZO85+SHTq3j0R0fxhf8vgIkCNQQQAQgAHwUCVEjCTwYLCQgHAwIGFQgCCQoL
BBYCAwECHgECF4AACgkQqC7XWo38UKR4Tw//Q5XQ9eteV0SuiXq7E1ofH1lF1jll
jNid0gvJMkjPtmoVLEnm/vMKbW0mL7EY2c4l5DiSe71a/JyOwh2+FTbLki2inzOo
xzf7mhR1vZfZz0TsJR6FybbAzvdMstKiwBIiDtwEl1tOPcczAgDmzGXrYwg25pEU
26fhb5oeothDTgjTP6behYL0S8hNM/EkjG6Ovt8xQhBue1WEVN2UXqfQ9LvbLSTC
iOTU9Auk4MdVL7ihrhMsHrs2NnXfDyiNlE502+8A8kw4InAHmprSHPXW9YYYh8T+
nj97RHANI5Yiet/JvzQX0arYjS3DQj96qEcpNKBNkWqPNXYbuiIZnffzyyzV0qfa
KZ5CpbSAF3dt+0EvV/EPJq+nAdl69cc9VTC6kgwTBxMLfagtXP9oi2iT60Z6tCgQ
jQgsOyTylILUbOnD/mP0DH6aSDT38e97iJIqD8uAYAG0wwHq0cZpMVE++kHDPmWi
Z2nOB1nQDyebHS77LEMaIhfJPLAKiBjvgjqlUCwbOaFHgIUf+VfTsIWJaJqjekve
qBQnH6piJti8HMMMC2IjVs4iFC+0HnldWHrqcm/QG4b2nFShBw/iTv9t5oVrriyI
8hHWjhHK8fhpaC5lBVkxvlIvKHt+CpRrky9ZVFqyPgXZ10WnKOj3Uw53uhVhW99L
XSH3yB22jN6qHuG0J0ZyYW5jayBSb3llciA8ZnJhbmNrLnJveWVyQGFtYWRldXMu
Y29tPokCOQQTAQIAIwUCVEhxFAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheA
AAoJEKgu11qN/FCkH2IP/A8lg8PpTHuGeVUCQiCpfks3sQ/9mtQFMVY3AR8IqajC
1zSxcGCpjnLoVVq/5O21aQGF3FluV5FzizXDNt8gvraMh0CKQrDHhENReRjt9al0
x2lzWi/4iMRgzMgYpfIDFqBfAOEQeZ+3gUPlZHpKHEcgdqKycw5I3v6yuOCfNf7n
0dPPFd0iJmcNwTRxB6vQe9jlTMrbP2UenTgzIDybFCo0uWsM4PV1fjoHO8f1s3X3
O6vk63qnO3F8P+eQUTHEOwuBdj3FJNccWCn3pMnF10u+FH+TZOkeTpTjyM0RFWzX
t24vSN1+63NQ2vOI+QYxWPvQtbw/Ra4rqmgu47vP2altLRvZkeWtrmldpyj/opwJ
Yd1y78vj+qy1QQuJuxZf8V93x6162/Kj1IdGLU70ErjXWwRu0EUle3EiM/6Tch2q
vQSkMT4l6/Uc4200yTNRtl6tvlCqOF/VAPmJJF2cCN/VbzWehgnbtThvMxMxonB+
qNh81t3uWtFGYo8zQCnzoXJeW9WiCwdHi2BwW05zp377g1Xa6eLQ8GvH9Kq/ynkC
VXPWVxMC+irBaDklnxyKxitqGzZvaItVov4JVOcKAVrenWajcZV1GY6iPEMsr7YA
5WIjAvfjz8EIdcXbxA1pyYUM/9SkZ5YSGKQsakZWP6jytqeL+rvC4e/ROFtPsPy4
iQI4BBMBAgAiAhsvAh4BAheABQJUSMJPBgsJCAcDAgYVCAIJCgsEFgIDAQAKCRCo
LtdajfxQpCOrD/wKKC6xH6QyMWFQbFUdJGRG1SB+e5eJEEABBVgLFPWzGGUkOjD1
L88Cm9ZeLewb5HAJpQkq5+hSsUAdP0teZxMykHR715jYNfoweq67ghT50YGu+fyg
/9N4XPAR7XMSyza3aJRwDlrfSrv6e5F3pRzwMFOufSK1gn4jkSpNLtBgXfZ5n3X2
jTCTYGT5HwaRLdnpGAoZUC1hSh66dbIN8biSHw5bb5xISu/hs+WIDuNjbEendtWZ
5DrSwmBuNuiCjj/lxi34OTw57PxXgjLt3vSqsXdUaT8lceR366CjFHYEvEXIPXHs
eFxMA4HfF06mGwxzvOPBw/u2pLx3ve2veUYPjZGaPBOZxk2WzGEsxQ/HA1SjTB9R
KyyUE9lJ1p2zIUbMUgdVuNm9BEyV4d3YinX3JSPG5tXtqj4pc99w3M/bFl5ocpeb
IG0r+tuhkGOrPqQRoi9KWJC06gOV/kOuodKBcZrJrMjpv5Lss8dtk8CT13jR2RHv
Exw+N4Zw0wLjDj6V9FbzxVd+OKEC03ik77L2qExUF3rnPNnXimnBMnzKVPODRPOL
nZIkaVLlJN/qUAMx1W7V/HEBrkqtlTwPuCCmj6wTlDXsUQjzKUvJmEQ+7v0/jg+4
ihYOJJ9k8GX6Pk2TKhL2YlUe98RbMZM0SOYYFtucky93Rq40EMOwvKIrm7QfRnJh
bmNrIHJveWVyIDxmcmFuY2tAcm95ZXIub25lPokCTAQQAQgANgYLCQcIAwIEFQgK
AgMWAgECGwMCHgEWIQS7beEiuskdEmC2jHOoLtdajfxQpAUCXZ2cWgIZAQAKCRCo
LtdajfxQpJ2UD/9a6lDq0c8TkavTX2ZtmVdIIKwgtbvH5nZkXKYFDKSjDv733Zio
4KJrTXd0SMPtXkXbS58d9cjN4oNU/AlC8b9ZQ8SJ7Me+QXfLjZDBzUCYB1Ia5XPP
vKXAy1vH1V/KS3xsG/LV/mhzIQF2ulZ9LsgUHabpK0PrgfpXgJu99Il4dc0urnoM
pTtBEm2eAV2Tkcb91F3DMH85zXIvT9e0jJs8iGaj8LQjlOwGU4X+8Wy6ySfUwBk/
yIrnJF/UjzfB7cgcyHJPWerYnFIMi9UR/nv4LQ5WD3qS5aKiPXwSXW9+4VKSL8JQ
iwb+CdEVKc9NMp1IQFFmC+gAu4+yEQVBm5FIhBAdUeps6RMKgSSuwohzsIXWdfWy
01gJ6kJ7Ih2b+Q/wsTAJS1UwMNuOFNkirDMsyHpju5dk9P1bwna4GYnwxW9/aWy1
3tBi7ZrfL2NXzZow6iShCte2CFWcqKFJZ1Xg77tG8CSBV9zFWlLeN5hQvT4wqHLZ
1l7b2vrjzY3NmTGm5wAhB5v3CpqH1VM+aDAVRrkngo1xxgHUaXhzTf+xTHP4W65C
NIvZ4IsZwsRXwrF5ZLZEtnHWtMlGs5fHVlW88JmSMlEteZqmxT5irxZr7vbm1x2G
wWMslTybnLhz1hJFO+6kxM1l7LUlQof+gI4MLGThfSCTuywflQZMStp3QLQhRnJh
bmNrIFJveWVyIDxmcmFuY2tAY29ibG94LnRlY2g+iQIyBBABCAAcBQJdnXmoBgsJ
BwgDAgQVCAoCAxYCAQIbAwIeAQAKCRCoLtdajfxQpPGsD/9COtV8Xieqtfluj0yL
+pk4L1fBTZGjLC5Id/crIk7YA8qVjb5yyLJDgLNQQUaB2ES3IABiX1ex2hcEfC62
RvAW8lCjmEWwcFej2hp97UahoWWP4e5m4gjem7QU0an43sW6fx8faunt/9MBS+qw
dKyuJcsroAYQGFupEJhZHUl15pr9/Zc8uPT1xxIB514MIhnzO8gOpKMhEaJ7Pi0i
tIR9+rwP1eJHFzFi3weHYO52kbGBimjBevBu3G5oj8iUSxIa4yZU4juNuNLjoHOa
LP+vt76vG5byeB1JUR5eRv4P0NAgvr/FkOB2wFwYKMo+OtKUvt0CC87lnI3NrSwd
wCCnxaRx+rtj/WVIGOrtZUACXr+bOgB4Z0PnFH0IGVbhcUxTaq6q50fsC9H3aeaL
IIwNd6KYK/yTItA+7YIczGfiIPkdid1mp+6LKp5vO+ZDyGxIoxnO98+Q0b4ztqe2
DVp0jc2i8Ty2B7HU4RaN+m7V2t7SPSQiq6LL6tDfvtbxIyVXYTkZNGvSjykWoxno
gPYU7MCL1SUA6CnrAzXKJvacocFLWmSkKZS1+PxHZcUae5U7z48cLJAwSkj77Pjo
rY1qMW2tnpcDPKEz1F5zEbxJhQCWb7MNfgv52kB3VNRa4/NUlakOUPtHR3/Pzu+k
vYArHqyXQ4N938PPMhtwT3bzSw==
=jRuD
-----END PGP PUBLIC KEY BLOCK-----

Version 4.6.0 of eslint just got published.

This version is covered by your current version range and after updating it in your project the build failed.

As eslint is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

Hi,

This might be more of a feature request, but I noticed mailvelope keyserver does not return results when searching just the mail domain. If you search for gmail.com or any mail domain within the OpenPGP key lookup field, you get Not Implemented. I tried playing around with the mailvelope API, but got the same results. It would be great if searching by mail domain was implemented like SKS. Thanks for developing such a nice and modernized keyserver.

my OpenPGP certificate 0xC4BC2DDB38CCE96485EBE9C2F20691179038E5C6 has two User IDs, one of them using debian.org and one using fifthhorseman.net

I've uploaded it to keys.mailvelope.com but only clicked on the link in the verification message sent to the debian.org address.

When i search the keyserver via HKPS based on the fifthhorseman.net address, i get no responses. so far, so good.

But, when i look up via the debian.org address (i.e. https://keys.mailvelope.com/pks/lookup?op=index&options=mr&[email protected] ) the listing includes the unverified e-mail address as well:

info:1:1
pub:C4BC2DDB38CCE96485EBE9C2F20691179038E5C6::null:1547878146::
uid:Daniel%20Kahn%20Gillmor%20%3Cdkg%40fifthhorseman.net%3E:::
uid:Daniel%20Kahn%20Gillmor%20%3Cdkg%40debian.org%3E:::

When i actually choose to download (i.e. via https://keys.mailvelope.com/pks/lookup?op=get&options=mr&search=0xC4BC2DDB38CCE96485EBE9C2F20691179038E5C6 ) then i only get the verified User ID. So that's also good.

But given the expectation that users have of a validating keyserver, the machine-readable listing probably has no business displaying non-validated User IDs.

I don't know if its possible to setup https within the project but I'm doing it through Apache2 proxy. It works fine until the emails sent have the wrong link.

The verification and removal link that arrives vía email always says:
http://localhost:8888
but the ideal link should be
https://keys.mydomain
Can you make the host or baseUrl configurable in config/ directory?

After I decrypt the link from the email provided by encrypted.asc
The api reply with "Invalid request!"

Hello,

config/development.js has been removed but it's still in the doc, no informations about which config file is the good one & which syntax to use.

The verification e-mails are currently Inline PGP, which is problematic for a number of reasons, and difficult to parse safely. Please use RFC 3156-style PGP/MIME instead.

So i went to https://keys.mailvelope.com, clicked "try it now", uploaded a public key, got a verification link to my mail address (holger at merlinux eu), went to it and it all seemingly worked. But the keyserver's search does not find it. I can't add it a second time, it complains that it already has this key. Is this some temporary sync issue or a real bug?

When running npm test:

> : ${NODE_ENV=development} && grunt test

Running "jshint:all" (jshint) task
>> 18 files lint free.

Running "jscs:src" (jscs) task
>> 18 files without code style errors.

Running "mochaTest:test" (mochaTest) task

/home/ubuntu/keyserver/test/unit/email-test.js:5
const expect = require('chai').expect;
^^^^^
>> Mocha exploded!
>> SyntaxError: Use of const in strict mode.
>>     at Module._compile (module.js:439:25)
>>     at Object.Module._extensions..js (module.js:474:10)
>>     at Module.load (/home/ubuntu/keyserver/node_modules/grunt/node_modules/coffee-script/lib/coffee-script/register.js:45:36)
>>     at Function.Module._load (module.js:312:12)
>>     at Module.require (module.js:364:17)
>>     at require (module.js:380:17)
>>     at /home/ubuntu/keyserver/node_modules/mocha/lib/mocha.js:222:27
>>     at Array.forEach (native)
>>     at Mocha.loadFiles (/home/ubuntu/keyserver/node_modules/mocha/lib/mocha.js:219:14)
>>     at Mocha.run (/home/ubuntu/keyserver/node_modules/mocha/lib/mocha.js:487:10)
>>     at MochaWrapper.run (/home/ubuntu/keyserver/node_modules/grunt-mocha-test/tasks/lib/MochaWrapper.js:44:13)
>>     at /home/ubuntu/keyserver/node_modules/grunt-mocha-test/tasks/mocha-test.js:84:20
>>     at capture (/home/ubuntu/keyserver/node_modules/grunt-mocha-test/tasks/mocha-test.js:31:5)
>>     at Object.<anonymous> (/home/ubuntu/keyserver/node_modules/grunt-mocha-test/tasks/mocha-test.js:79:5)
>>     at Object.<anonymous> (/home/ubuntu/keyserver/node_modules/grunt/lib/grunt/task.js:255:15)
>>     at Object.thisTask.fn (/home/ubuntu/keyserver/node_modules/grunt/lib/grunt/task.js:73:16)
>>     at Object.<anonymous> (/home/ubuntu/keyserver/node_modules/grunt/lib/util/task.js:294:30)
>>     at Task.runTaskFn (/home/ubuntu/keyserver/node_modules/grunt/lib/util/task.js:244:24)
>>     at Task.<anonymous> (/home/ubuntu/keyserver/node_modules/grunt/lib/util/task.js:293:12)
>>     at /home/ubuntu/keyserver/node_modules/grunt/lib/util/task.js:220:11
>>     at process._tickDomainCallback (node.js:459:13)
Warning: Task "mochaTest:test" failed. Use --force to continue.

Aborted due to warnings.
npm ERR! weird error 3
npm WARN This failure might be due to the use of legacy binary "node"
npm WARN For further explanations, please read
/usr/share/doc/nodejs/README.Debian
 
npm ERR! not ok code 0

On current HEAD and trying with last release get same result.

Version 3.5.1 of mocha just got published.

This version is covered by your current version range and after updating it in your project the build failed.

As mocha is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

Using my own instance of mailvelope's keyserver I ran into this error, checking and trying to add "https://keys.mailvelope.com" as keyserver in the firefox and chrome extension I found the same error so I think this is could be a problem with the implementation of hkp protocol?

thanks for the good work!

We want to use the keyserver and have it automatically just accept the keys without e-mailing the user, is this easy to do?

gpg(1) says:

   --search-keys names
          Search  the  keyserver for the given names. Multiple names given
          here will be joined together to create the search string for the
          keyserver.   Option --keyserver must be used to give the name of
          this keyserver.  Keyservers that support different search  meth‐
          ods  allow  using the syntax specified in "How to specify a user
          ID" below.

[…]
HOW TO SPECIFY A USER ID
[…]
By exact match on an email address.
This is indicated by enclosing the email address in the usual
way with left and right angles.

     <[email protected]>

This suggests that users and scripts are likely to search keyservers for an e-mail address specifically by wrapping it in angle brackets.

However, the HKPS interface implemented by the mailvelope keyserver returns HTTP/1.1 501 Not Implemented when the search= query parameter is wrapped in angle-brackets.

Instead, it should accept searches wrapped in angle brackets and treat them the same as it would a comparable search that is not wrapped in angle brackets.

Version 7.3.0 of koa-router was just published.

This version is covered by your current version range and after updating it in your project the build failed.

koa-router is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴