From c092b3adc58b8b2fec3fbec93dce0fb62b60507c Mon Sep 17 00:00:00 2001
From: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Date: Wed, 20 Aug 2025 12:11:28 +0200
Subject: [PATCH] signing.bbclass: create env with 0x600

The env file holds the PKCS#11 uris, which include the pin to access
the database - in plaintext. Directly create the file (after it has
been remove) with the proper 'user RW only' permissions, to give only
the build-user access to this somewhat "security sensitive" file.

Note that the softhsm/sqlite3.db* is already 0x600.

Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta-oe/classes/signing.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 26d1b592e3..b35184398a 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -104,6 +104,7 @@ signing_import_prepare() {
 
     export _SIGNING_ENV_FILE_="${B}/meta-signing.env"
     rm -f "$_SIGNING_ENV_FILE_"
+    install -m 600 /dev/null "$_SIGNING_ENV_FILE_"
 
     export SOFTHSM2_CONF="${B}/softhsm2.conf"
     export SOFTHSM2_DIR="${B}/softhsm2.tokens"
@@ -331,7 +332,7 @@ signing_import_install() {
     install -d ${D}${localstatedir}/lib/softhsm/tokens/${PN}
     install -m 600 -t ${D}${localstatedir}/lib/softhsm/tokens/${PN} ${B}/softhsm2.tokens/*/*
     install -d ${D}${localstatedir}/lib/meta-signing.env.d
-    install -m 644 "${B}/meta-signing.env" ${D}${localstatedir}/lib/meta-signing.env.d/${PN}
+    install -m 600 "${B}/meta-signing.env" ${D}${localstatedir}/lib/meta-signing.env.d/${PN}
 }
 
 signing_prepare() {