This is legitimate.
Oh… Due to the barrage of scam emails that one receives daily, an unanswerable email — about a subject that isn't even mentioned on the main site — from ‘webmaster@localhost’ doesn't exactly appear trustworthy.
Due to the site structure it's hard to have both OpenID and user/password auth at the same time, so I figured this would suffice.
How come you're scrapping OpenID? I, for one, am not interested in maintaining yet another username/password combo, so you're going to lose at least one user.
Unfortunately there wasn't a DEFAULT_FROM_EMAIL set so the mail came from 'webmaster@localhost'.
And how, pray tell, did you imagine that people would believe that the email was legitimate? Did you expect people to scour the email headers for clues and make DNS lookups?
Signed? With what key?
Ever heard of PGP
? The public key, or at least its fingerprint, could be available on the website. As a minimum I'd expect that the matter was mentioned on the website…
Thanks for stepping forward, though.