upgprules - compile rules for upgpverify
upgpverify CDB TMP [INPUT]
upgpverify verifies, if told to do so, whether the signing key matches the rules in CDB.
upgprules compiles the rules in INPUT (or stdin) into CDB, a binary format suited for quick access by upgpverify.
upgprules can be used while upgpverify is running. It ensures that cdb is updated atomically. It does this by first writing the rules to tmp and then moving tmp on top of cdb. If tmp already exists, it is destroyed. The directories containing cdb and tmp must be writable to tcprules; they must also be on the same filesystem.
If there is a problem with the input or with tmp, upgprules complains and leaves cdb alone.
The binary cdb format is portable across machines.
INPUT lines starting with a hash (#) are ignored, as are empty lines. All other lines are rules.
Each rule consists of an identification, a colon, an instruction and a list of environment variable assignments.
An identification is a tag character followed by a star (*) symbol and a free-form string. The later must not contain a colon (:).
The tag character is used to distinguish the five different kinds of identifications, which are listed in order of preference:
The preference mentioned above is my personal preference. While the email address may be quite handy it's important not to forget that strange things might happen if you accept a public key which contains the email address of someone else - who might have more rights than the owner of the key (this also applies, to a lesser degree, to the user ID).
There are two:
An environment variable assignment contains a comma (,), a variable name, an equal sign (=), a quote character, a value and another quote character. The quote character may be choosen freely. Another assignment may follow.
The general form of an assignment is ,var=``value'', where `` may be any character not found in value.
upgprules etc/rules.cdb etc/rules.t <<EOF firstname.lastname@example.org:allow,why=%address% s*71EC423D:allow,why="short key id" s*5B86ABE571EC423D:allow,why="long key id" u*Uwe Ohse (RSA) <email@example.com>:allow,why=%uid% f*D1076FB6107A40F11DD9E6C67336FF68:allow,why=/fingerprint/ EOF