6 files changed, 62 insertions, 21 deletions

diff --git a/src/mailman_pgp/plugin.py b/src/mailman_pgp/plugin.py
index 6c4a0d7..d3974d1 100644
--- a/src/mailman_pgp/plugin.py
+++ b/src/mailman_pgp/plugin.py
@@ -24,7 +24,7 @@ from zope.event import classhandler
 from zope.interface import implementer
 
 from mailman_pgp.config import config
-from mailman_pgp.database import Database, query, transaction
+from mailman_pgp.database import Database, transaction
 from mailman_pgp.model.list import PGPMailingList
 from mailman_pgp.pgp import PGP
 from mailman_pgp.rest.root import RESTRoot
diff --git a/src/mailman_pgp/rest/lists.py b/src/mailman_pgp/rest/lists.py
index 5279702..fc7bbef 100644
--- a/src/mailman_pgp/rest/lists.py
+++ b/src/mailman_pgp/rest/lists.py
@@ -22,7 +22,6 @@ from mailman.rest.helpers import (
 from public import public
 
 from mailman_pgp.config import config
-from mailman_pgp.database import query
 from mailman_pgp.model.list import PGPMailingList
 
 
diff --git a/src/mailman_pgp/rules/signature.py b/src/mailman_pgp/rules/signature.py
index 5a89ab1..0ffd76b 100644
--- a/src/mailman_pgp/rules/signature.py
+++ b/src/mailman_pgp/rules/signature.py
@@ -30,45 +30,90 @@ from mailman_pgp.model.list import PGPMailingList
 from mailman_pgp.pgp.wrapper import PGPWrapper
 
 
+def _record_action(msgdata, action, sender, reason):
+    msgdata['moderation_action'] = action
+    msgdata['moderation_sender'] = sender
+    msgdata.setdefault('moderation_reasons', []).append(reason)
+
+
 @public
 @implementer(IRule)
 class Signature:
-    """"""
+    """The signature checking rule."""
 
     name = 'signature'
-
     description = _(
-        """
-        """)
-
+        """A rule which enforces PGP enabled list signature configuration.""")
     record = True
 
-    def _record_action(self, msgdata, action, sender, reason):
-        msgdata['moderation_action'] = action
-        msgdata['moderation_sender'] = sender
-        msgdata.setdefault('moderation_reasons', []).append(reason)
-
     def check(self, mlist, msg, msgdata):
         """See `IRule`."""
+        # Find the `PGPMailingList` this is for.
         enc_list = query(PGPMailingList).filter_by(
             list_id=mlist.list_id).first()
         if enc_list is None:
             raise ValueError('PGP enabled mailing list not found.')
 
+        # Wrap the message to work with it.
         wrapped = PGPWrapper(msg)
 
+        # Take unsigned_msg_action if unsigned.
         if not wrapped.is_signed():
             action = enc_list.unsigned_msg_action
             if action is not None:
-                self._record_action(msgdata, action, msg.sender,
-                                    'The message is unsigned.')
+                _record_action(msgdata, action, msg.sender,
+                               'The message is unsigned.')
                 return True
 
+        # Take `inline_pgp_action` if inline signed.
         if wrapped.is_inline_signed():
             action = enc_list.inline_pgp_action
             if action is not None:
-                self._record_action(msgdata, action, msg.sender,
-                                    'Inline PGP is not allowed.')
+                _record_action(msgdata, action, msg.sender,
+                               'Inline PGP is not allowed.')
+                return True
+
+        # Lookup the address by sender, and its corresponding `PGPAddress`.
+        user_manager = getUtility(IUserManager)
+        sender = msg.sender
+        address = user_manager.get_address(sender)
+        enc_address = PGPAddress.query().filter_by(
+            email=address.email).first()
+        if enc_address is None:
+            raise ValueError('PGP enabled address not found.')
+
+        # See if we have a key.
+        key = enc_address.key
+        if key is None:
+            # TODO: how to handle this?
+            raise ValueError('No key?')
+
+        # Verify, this gives us stuff we need to check.
+        verification = wrapped.verify(key)
+
+        # Take the `invalid_sig_action` if the verification failed.
+        if not verification:
+            action = enc_list.invalid_sig_action
+            if action is not None:
+                _record_action(msgdata, action, msg.sender,
+                               'Signature did not verify.')
+                return True
+
+        # TODO: handle more signatures here?
+        sig_obj = next(verification.good_signatures)
+        sig_key = sig_obj.by
+        sig_sig = sig_obj.signature
+
+        # Take the `expired_sig_action` if either he signature or the key
+        # is expired.
+        if sig_sig.is_expired or sig_key.is_expired:
+            action = enc_list.expired_sig_action
+            if action is not None:
+                _record_action(msgdata, action, msg.sender,
+                               'Signature or key expired.')
                 return True
 
-        # TODO finish this
\ No newline at end of file
+        # XXX: we need to track key revocation separately to use it here
+        # TODO: check key revocation here
+
+        return False
diff --git a/src/mailman_pgp/runners/incoming.py b/src/mailman_pgp/runners/incoming.py
index e059c28..6337633 100644
--- a/src/mailman_pgp/runners/incoming.py
+++ b/src/mailman_pgp/runners/incoming.py
@@ -24,7 +24,6 @@ from mailman.model.mailinglist import MailingList
 from public import public
 
 from mailman_pgp.config import config
-from mailman_pgp.database import query
 from mailman_pgp.model.list import PGPMailingList
 from mailman_pgp.pgp.wrapper import PGPWrapper
 
diff --git a/src/mailman_pgp/runners/outgoing.py b/src/mailman_pgp/runners/outgoing.py
index 92a765d..646822b 100644
--- a/src/mailman_pgp/runners/outgoing.py
+++ b/src/mailman_pgp/runners/outgoing.py
@@ -24,7 +24,6 @@ from mailman.model.mailinglist import MailingList
 from public import public
 
 from mailman_pgp.config import config
-from mailman_pgp.database import query
 from mailman_pgp.model.list import PGPMailingList
 
 
diff --git a/src/mailman_pgp/styles/base.py b/src/mailman_pgp/styles/base.py
index ac3b61a..10d9c18 100644
--- a/src/mailman_pgp/styles/base.py
+++ b/src/mailman_pgp/styles/base.py
@@ -19,8 +19,7 @@
 
 from public import public
 
-from mailman_pgp.config import config
-from mailman_pgp.database import query, transaction
+from mailman_pgp.database import transaction
 from mailman_pgp.model.list import PGPMailingList