diff --git a/README.mkd b/README.mkd
index b766f7e..1df3bf8 100644
--- a/README.mkd
+++ b/README.mkd
@@ -70,6 +70,8 @@ detail [here][gsdiff].
   * simpler, yet far more powerful, config file syntax, including specifying
     gitweb/daemon access.  You'll need this power if you manage lots of
     users+repos+combinations of access
+  * apart from branch-name based restrictions, you can also restrict by
+    file/dir name changed (i.e., output of `git diff --name-only`)
   * config file syntax gets checked upfront, and much more thoroughly
   * if your requirements are still too complex, you can split up the config
     file and delegate authority over parts of it
diff --git a/src/gl-compile-conf b/src/gl-compile-conf
index 98bcb2e..639d604 100755
--- a/src/gl-compile-conf
+++ b/src/gl-compile-conf
@@ -495,14 +495,20 @@ for my $pubkey (glob("*"))
     print STDERR "WARNING: pubkey $pubkey exists but user $user not in config\n"
         unless $user_list{$user};
     $user_list{$user} = 'has pubkey';
+    # apparently some pubkeys don't end in a newline...
+    my $pubkey_content = `cat $pubkey`;
+    $pubkey_content =~ s/\s*$/\n/;
+    # don't trust files with multiple lines (i.e., something after a newline)
+    if ($pubkey_content =~ /\n./)
+    {
+        print STDERR "WARNING: a pubkey file can only have one line (key); ignoring $pubkey\n";
+        next;
+    }
     if ($SHELL_USERS and $SHELL_USERS =~ /(^|\s)$user(\s|$)/) {
         print $newkeys_fh "command=\"$AUTH_COMMAND -s $user\",$AUTH_OPTIONS ";
     } else {
         print $newkeys_fh "command=\"$AUTH_COMMAND $user\",$AUTH_OPTIONS,no-pty ";
     }
-    # apparently some pubkeys don't end in a newline...
-    my $pubkey_content = `cat $pubkey`;
-    $pubkey_content =~ s/\s*$/\n/;
     print $newkeys_fh $pubkey_content;
 }
 # lint check 3; a little more severe than the first two I guess...