Write signing keys with file mode 0640

changelog.d/16740.bugfix

@@ -0,0 +1,3 @@
+Write signing keys with file mode 0640
+
+Contributed by Fabian Klemp

synapse/config/key.py

@@ -263,7 +263,9 @@ def generate_files(self, config: Dict[str, Any], config_dir_path: str) -> None:
 
         if not self.path_exists(signing_key_path):
             print("Generating signing key file %s" % (signing_key_path,))
-            with open(signing_key_path, "w") as signing_key_file:
+            with open(
+                signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
+            ) as signing_key_file:
                 key_id = "a_" + random_string(4)
                 write_signing_keys(signing_key_file, (generate_signing_key(key_id),))
         else:
@@ -274,7 +276,9 @@ def generate_files(self, config: Dict[str, Any], config_dir_path: str) -> None:
                 key = decode_signing_key_base64(
                     NACL_ED25519, key_id, signing_keys.split("\n")[0]
                 )
-                with open(signing_key_path, "w") as signing_key_file:
+                with open(
+                    signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
+                ) as signing_key_file:
                     write_signing_keys(signing_key_file, (key,))