Write signing keys with file mode 0640 (#16740)

Co-authored-by: Fabian Klemp <fabian.klemp@frequentis.com>
4 months ago · 10ada2ff6d
--- a/changelog.d/16740.bugfix
+++ b/changelog.d/16740.bugfix
@@ -0,0 +1 @@
 Fix a long-standing bug where the signing keys generated by Synapse were world-readable. Contributed by Fabian Klemp.
--- a/synapse/_scripts/generate_signing_key.py
+++ b/synapse/_scripts/generate_signing_key.py
@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import argparse
 import os
 import sys

 from signedjson.key import generate_signing_key, write_signing_keys
@@ -26,15 +27,21 @@ def main() -> None:
    parser.add_argument(
        "-o",
        "--output_file",
        type=argparse.FileType("w"),
        default=sys.stdout,
        type=str,
        default="-",
        help="Where to write the output to",
    )
    args = parser.parse_args()

    key_id = "a_" + random_string(4)
    key = (generate_signing_key(key_id),)
    write_signing_keys(args.output_file, key)
    if args.output_file == "-":
        write_signing_keys(sys.stdout, key)
    else:
        with open(
            args.output_file, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
        ) as signing_key_file:
            write_signing_keys(signing_key_file, key)


 if __name__ == "__main__":
--- a/synapse/config/key.py
+++ b/synapse/config/key.py
@@ -263,7 +263,9 @@ class KeyConfig(Config):

        if not self.path_exists(signing_key_path):
            print("Generating signing key file %s" % (signing_key_path,))
            with open(signing_key_path, "w") as signing_key_file:
            with open(
                signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
            ) as signing_key_file:
                key_id = "a_" + random_string(4)
                write_signing_keys(signing_key_file, (generate_signing_key(key_id),))
        else:
@@ -274,7 +276,9 @@ class KeyConfig(Config):
                key = decode_signing_key_base64(
                    NACL_ED25519, key_id, signing_keys.split("\n")[0]
                )
                with open(signing_key_path, "w") as signing_key_file:
                with open(
                    signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
                ) as signing_key_file:
                    write_signing_keys(signing_key_file, (key,))