feat(email): add GPG/PGP email signing and verification#13
Merged
qasim-nylas merged 2 commits intonylas:mainfrom Feb 2, 2026
Merged
feat(email): add GPG/PGP email signing and verification#13qasim-nylas merged 2 commits intonylas:mainfrom
qasim-nylas merged 2 commits intonylas:mainfrom
Conversation
Add support for signing outgoing emails with GPG keys and verifying signatures on incoming emails using the PGP/MIME standard (RFC 3156). Features: - Sign emails with --sign flag using default or specific GPG key - Verify signatures with --verify flag on email read - Auto-fetch missing public keys from key servers - Configure default key and auto-sign via nylas config - List available GPG keys with --list-gpg-keys New files: - internal/adapters/gpg/ - GPG service for signing/verification - internal/adapters/mime/ - RFC 3156 PGP/MIME message builder - internal/cli/email/send_gpg.go - GPG signing flow - internal/cli/email/read_verify.go - Signature verification - docs/commands/email-signing.md - User documentation - docs/commands/explain-gpg.md - GPG concepts guide Security: - Input validation for GPG key IDs (SEC-001, SEC-002) - Cryptographically random MIME boundaries (SEC-003) - Comprehensive test coverage including injection tests
The TestHandleListGPGKeys_NoGPG test now accepts multiple valid error conditions: - GPG not found (not installed) - no GPG secret keys found (installed but no keys) - No GPG signing keys (alternative message) This fixes CI failure where GPG is installed but has no keys configured.
qasim-nylas
approved these changes
Feb 1, 2026
AaronDDM
approved these changes
Feb 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add support for GPG/PGP email signing and verification using the PGP/MIME standard (RFC 3156).
Features
--signflag using default or specific GPG key--verifyflag on email readnylas config--list-gpg-keysArchitecture
Verification Flow
New Files
internal/adapters/gpg/service.gointernal/adapters/gpg/types.gointernal/adapters/mime/builder.gointernal/cli/email/send_gpg.gointernal/cli/email/read_verify.godocs/commands/email-signing.mddocs/commands/explain-gpg.mdUsage Examples
Send Signed Email
Verify Signature
Configuration
Security
Input Validation (Defense against command injection)
Security Fixes Applied
isValidGPGKeyID()validationcrypto/randfor generationTest Coverage
Key Servers
Auto-fetches missing public keys from:
keys.openpgp.orgkeyserver.ubuntu.compgp.mit.edukeys.gnupg.netTest Plan
--signflag--gpg-key--verify--list-gpg-keysnylas config