Write signing keys with file mode 0640

[elara-leitstellentechnik]

Fixes #1528.
Fixes #6364.

Pull Request Checklist

• Pull request is based on the develop branch
• Pull request includes a changelog file. The entry should:
  • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
  • Use markdown where necessary, mostly for code blocks.
  • End with either a period (.) or an exclamation mark (!).
  • Start with a capital letter.
  • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
• Pull request includes a sign off
• Code style is correct
  (run the linters)

[DMRobertson]

The changes look good. But I think there is one more place that we generate and write signing keys:

synapse/synapse/_scripts/generate_signing_key.py

Lines 24 to 37 in 961ee75

	parser = argparse.ArgumentParser()
	parser.add_argument(
	"-o",
	"--output_file",
	type=argparse.FileType("w"),
	default=sys.stdout,
	help="Where to write the output to",
	)
	args = parser.parse_args()
	key_id = "a_" + random_string(4)
	key = (generate_signing_key(key_id),)
	write_signing_keys(args.output_file, key)

(I found this by searching for uses of write_signing_keys).

Could you also amend this one? Probably the easiest way is to append

if args.output_file is not sys.stdout:
    os.chmod(args.output_file, 0o640)

to the end of main. Hopefully it should be easy test, too by running the script.

[elara-leitstellentechnik]

Your suggestion doesn't work as the type of argparse.FileType is not a PathLike or similar, but just the opened file.

I therefore refactored the script a bit. This has the nice benefit, that the file is properly closed now as well (which I believe it wasn't before.

[DMRobertson]

LGTM:

dmr on titan in synapse-3 on  elara-leitstellentechnik/develop is 📦 v1.98.0rc1 via 🐍 v3.11.6 (matrix-synapse-py3.11) via 🦀 v1.70.0 via 🐏 13GiB/15GiB | 4GiB/8GiB 
2023-12-08 16:16:23 ✔  $ generate_signing_key 
ed25519 a_mVUl PXgocqQ8m+hOV/e73Se4FRzYKSzsnEgF+CKTB2ugV3A

dmr on titan in synapse-3 on  elara-leitstellentechnik/develop is 📦 v1.98.0rc1 via 🐍 v3.11.6 (matrix-synapse-py3.11) via 🦀 v1.70.0 via 🐏 13GiB/15GiB | 4GiB/8GiB 
2023-12-08 16:16:28 ✗ 2 USAGE  $ generate_signing_key -o arse

dmr on titan in synapse-3 on  elara-leitstellentechnik/develop is 📦 v1.98.0rc1 via 🐍 v3.11.6 (matrix-synapse-py3.11) via 🦀 v1.70.0 via 🐏 12GiB/15GiB | 4GiB/8GiB 
2023-12-08 16:16:33 ✔  $ stat arse
  File: arse
  Size: 59        	Blocks: 8          IO Block: 4096   regular file
Device: 0,42	Inode: 41513849    Links: 1
Access: (0640/-rw-r-----)  Uid: ( 1000/     dmr)   Gid: ( 1000/     dmr)
Context: unconfined_u:object_r:user_home_t:s0
Access: 2023-12-08 16:16:32.994926068 +0000
Modify: 2023-12-08 16:16:32.995926073 +0000
Change: 2023-12-08 16:16:32.995926073 +0000
 Birth: 2023-12-08 16:16:32.994926068 +0000

dmr on titan in synapse-3 on  elara-leitstellentechnik/develop is 📦 v1.98.0rc1 via 🐍 v3.11.6 (matrix-synapse-py3.11) via 🦀 v1.70.0 via 🐏 12GiB/15GiB | 4GiB/8GiB 
2023-12-08 16:16:37 ✔  $ cat arse
ed25519 a_BNCz +oIassI35rsZ7DlFLCHnJaCWj4CGNuAoaAmAaxKhVX4

Thank you!