add verifiable cryptographic signature to email event in "security history" log

[monperrus]

What's the problem this feature will solve?
Verifying the event trail in security history

Describe the solution you'd like
Add a field signature to the event

From: [email protected]
To: [email protected]
Subject: [PyPI] Two-factor method added
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=qnyyfqodjxtnsobvnrsglem3olqxgb5o; d=pypi.org; t=1716013242;
	h=Subject:From:To:MIME-Version:Content-Type:Message-ID:Date;
	bh=sBC+yG9GSD1CnHoXXbcy9jcoanUnWeFQgXevQ7vrQ/o=;
	b=Idqy0AQzQeKAKPCkC/MvBx68S+5bGEsHdJ+MQHRMLtuVYQ4oqG7CH3dvB4VPeB+/
	KUjxrOU/ew3veyGZLNk8igmcxcXgJLplKWxVwi4kpni8/u9FurWd7KWJsBo6UH9DO1H
	lp8nQdB1rqPq3dOFXhcsvNM0lt3X+H86bv6bXNjI=

Additional context
Any signature would work. The advantage of DKIM-Signature is that 1) it is already there 2) there is email client support to verify DKIM-Signature

[woodruffw]

Making sure I understand: are you asking for a DKIM signature for the per-project "security history" page on pypi.org itself, or are you asking about the DKIM signature on the security emails themselves?

(If it's the latter, I think PyPI already issued DKIM-signed message bodies, since all of the emails in my inbox have the DKIM-Signature header. If it's the former, I think the value of signatures in the "security history" log would be minimal, since PyPI itself has transport security. But I could be misunderstanding.)