diff options
Diffstat (limited to 'src/mailman_pgp/rules/signature.py')
| -rw-r--r-- | src/mailman_pgp/rules/signature.py | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/src/mailman_pgp/rules/signature.py b/src/mailman_pgp/rules/signature.py index 55b9b87..395dd7d 100644 --- a/src/mailman_pgp/rules/signature.py +++ b/src/mailman_pgp/rules/signature.py @@ -17,6 +17,7 @@ """Signature checking rule for the pgp-posting-chain.""" from email.utils import parseaddr +from operator import attrgetter from mailman.core.i18n import _ from mailman.interfaces.action import Action @@ -28,8 +29,10 @@ from zope.interface import implementer from mailman_pgp.model.address import PGPAddress from mailman_pgp.model.list import PGPMailingList +from mailman_pgp.model.sighash import PGPSigHash from mailman_pgp.pgp.wrapper import PGPWrapper from mailman_pgp.utils.moderation import record_action +from mailman_pgp.utils.pgp import hashes, verifies @public @@ -89,14 +92,34 @@ class Signature: 'No key set for address {}.'.format(email)) return True + if not pgp_address.key_confirmed: + record_action(msg, msgdata, Action.reject, email, + 'Key not confirmed.') + return True + + verifications = list(wrapped.verify(key)) + # Take the `invalid_sig_action` if the verification failed. - if not wrapped.verifies(key): + if not verifies(verifications): action = pgp_list.invalid_sig_action if action != Action.defer: record_action(msg, msgdata, action, email, 'Signature did not verify.') return True + sig_hashes = set(hashes(verifications)) + duplicates = set(PGPSigHash.hashes(sig_hashes)) + if duplicates: + fingerprints = map(attrgetter('fingerprint'), duplicates) + if key.fingerprint in fingerprints: + action = pgp_list.duplicate_sig_action + if action != Action.defer: + record_action(msg, msgdata, action, email, + 'Signature duplicate.') + return True + + # TODO: add the sig hashes to the db. + # XXX: we need to track key revocation separately to use it here # TODO: check key revocation here |