From 4b26108b3d1717016ee757cb45242beceb666755 Mon Sep 17 00:00:00 2001
From: Michael Hoang <enzime@users.noreply.github.com>
Date: Fri, 6 Jun 2025 12:14:19 +1000
Subject: [PATCH] cli: don't generate a `sops` key that is world readable

Fixes https://git.clan.lol/clan/clan-core/issues/3808
---
 pkgs/clan-cli/clan_cli/secrets/sops.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/clan-cli/clan_cli/secrets/sops.py b/pkgs/clan-cli/clan_cli/secrets/sops.py
index a76910c4a..842287695 100644
--- a/pkgs/clan-cli/clan_cli/secrets/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/sops.py
@@ -352,6 +352,7 @@ def generate_private_key(out_file: Path | None = None) -> tuple[str, str]:
             raise ClanError(msg)
         if out_file:
             out_file.parent.mkdir(parents=True, exist_ok=True)
+            out_file.touch(mode=0o600)
             out_file.write_text(res)
     except subprocess.CalledProcessError as e:
         msg = "Failed to generate private sops key"