phase1: enforce proper umask during signing

Ensure that the umask is set to 022 when signing tarballs since twistd invokes
the helper script with an umask of 077, preventing world access on the
resulting files.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/phase1/signall.sh b/phase1/signall.sh
index f0d80fec232a9cd6f7e9e2f5bd7d80a97d8a12bd..015470dd45ef59628228f64054c2617f954b0a9a 100755 (executable)
--- a/phase1/signall.sh
+++ b/phase1/signall.sh
@@ -17,6 +17,8 @@ if [ ! -f "$tarball" ]; then
        finish 1
 fi
 
+umask 022
+
 mkdir "$tmpdir" || finish 2
 tar -C "$tmpdir/" -xzf "$tarball" || finish 3
 find "$tmpdir/" -type f -not -name "*.gpg" -exec gpg --no-version --batch --yes -a -b ${keyid:+-u "$keyid"} ${comment:+--comment="$comment"} ${passfile:+--passphrase-file "$passfile"} -o "{}.gpg" "{}" \; || finish 4