From 9738765258de46538d358fdaa5e6c109c8dbeaf7 Mon Sep 17 00:00:00 2001
From: Cory Hawklvelt <cory@hawkvelt.id.au>
Date: Sun, 26 Apr 2026 00:13:37 +0930
Subject: [PATCH] fix: set 0600 permissions on SSH certificates and challenge
 files in gatehouse-cli

---
 client/gatehouse-cli.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/client/gatehouse-cli.py b/client/gatehouse-cli.py
index 97c4505..2bf5ad2 100755
--- a/client/gatehouse-cli.py
+++ b/client/gatehouse-cli.py
@@ -369,6 +369,7 @@ def request_certificate(org_id=None):
             json_result = response.json().get('data', response.json())
             with open(CERT_FILE_PATH, 'w') as f:
                 f.write(json_result['certificate'])
+            os.chmod(CERT_FILE_PATH, 0o600)
             logger.info(f"Certificate signed successfully, located at {CERT_FILE_PATH}")
             logger.info(f"Valid for principals: {', '.join(json_result.get('principals', principals))}")
             
@@ -432,11 +433,13 @@ def generate_and_sign_challenge(ssh_key_file, key_id):
 
         with open(CHALLENGE_FILE_PATH, 'w') as f:
             f.write(challenge_text)
+        os.chmod(CHALLENGE_FILE_PATH, 0o600)
 
         subprocess.run(
             ["ssh-keygen", "-Y", "sign", "-f", ssh_key_file, "-n", "file", CHALLENGE_FILE_PATH],
             check=True,
         )
+        os.chmod(CHALLENGE_SIG_FILE_PATH, 0o600)
 
         with open(CHALLENGE_SIG_FILE_PATH, 'rb') as f:
             signature = base64.b64encode(f.read()).decode('utf-8')