diff --git a/changelog.d/16740.bugfix b/changelog.d/16740.bugfix
new file mode 100644
index 0000000000..21551516e2
--- /dev/null
+++ b/changelog.d/16740.bugfix
@@ -0,0 +1 @@
+Fix a long-standing bug where the signing keys generated by Synapse were world-readable. Contributed by Fabian Klemp.
diff --git a/synapse/_scripts/generate_signing_key.py b/synapse/_scripts/generate_signing_key.py
index 3f8f5da75f..581b991505 100755
--- a/synapse/_scripts/generate_signing_key.py
+++ b/synapse/_scripts/generate_signing_key.py
@@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
import argparse
+import os
import sys
from signedjson.key import generate_signing_key, write_signing_keys
@@ -26,15 +27,21 @@ def main() -> None:
parser.add_argument(
"-o",
"--output_file",
- type=argparse.FileType("w"),
- default=sys.stdout,
+ type=str,
+ default="-",
help="Where to write the output to",
)
args = parser.parse_args()
key_id = "a_" + random_string(4)
key = (generate_signing_key(key_id),)
- write_signing_keys(args.output_file, key)
+ if args.output_file == "-":
+ write_signing_keys(sys.stdout, key)
+ else:
+ with open(
+ args.output_file, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
+ ) as signing_key_file:
+ write_signing_keys(signing_key_file, key)
if __name__ == "__main__":
diff --git a/synapse/config/key.py b/synapse/config/key.py
index f3dc4df695..1920498cd1 100644
--- a/synapse/config/key.py
+++ b/synapse/config/key.py
@@ -263,7 +263,9 @@ class KeyConfig(Config):
if not self.path_exists(signing_key_path):
print("Generating signing key file %s" % (signing_key_path,))
- with open(signing_key_path, "w") as signing_key_file:
+ with open(
+ signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
+ ) as signing_key_file:
key_id = "a_" + random_string(4)
write_signing_keys(signing_key_file, (generate_signing_key(key_id),))
else:
@@ -274,7 +276,9 @@ class KeyConfig(Config):
key = decode_signing_key_base64(
NACL_ED25519, key_id, signing_keys.split("\n")[0]
)
- with open(signing_key_path, "w") as signing_key_file:
+ with open(
+ signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
+ ) as signing_key_file:
write_signing_keys(signing_key_file, (key,))
|
