Trust signatures with unbounded regular expressions

Werner Koch wk at
Tue Feb 21 10:17:25 CET 2012

On Mon, 20 Feb 2012 01:10, s_buckhe at said:
> Hello,
> given a key, I would like to create a trust signature with a specific
> regular expression, say "-mail[12]\.example\.com$" in this exact form.
> That expression, and thus the signature, would match any domain name
> ending with or, including all
> email addresses attached to them. This is exactly what I want, but gnupg
> mangles the regular expression to match mail addresses or domains at or
> beneath the verbatim domain name -mail[12]
> Is there any way to create a trust signature with that exact regular
> expression with gnupg?

No.  For security reasons we don't allow arbitrary REs anymore:

  2007-12-12  David Shaw  <dshaw at>  (wk)

	* trustdb.c (sanitize_regexp): New.  Protect against dangerous
	regexps (malloc bombs) by force-commenting any characters aside
	from the ones we explicitly want.
	(check_regexp): Use it here before passing the regexp to

See the comment in the sanitize_regexp function for more details.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list