signing.bbclass: create env with 0x600

The env file holds the PKCS#11 uris, which include the pin to access
the database - in plaintext. Directly create the file (after it has
been remove) with the proper 'user RW only' permissions, to give only
the build-user access to this somewhat "security sensitive" file.

Note that the softhsm/sqlite3.db* is already 0x600.

Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/meta-oe/classes/signing.bbclass b/meta-oe/classes/signing.bbclass
index 26d1b592e3..b35184398a 100644
--- a/meta-oe/classes/signing.bbclass
+++ b/meta-oe/classes/signing.bbclass
@@ -104,6 +104,7 @@ signing_import_prepare() {
 
     export _SIGNING_ENV_FILE_="${B}/meta-signing.env"
     rm -f "$_SIGNING_ENV_FILE_"
+    install -m 600 /dev/null "$_SIGNING_ENV_FILE_"
 
     export SOFTHSM2_CONF="${B}/softhsm2.conf"
     export SOFTHSM2_DIR="${B}/softhsm2.tokens"
@@ -331,7 +332,7 @@ signing_import_install() {
     install -d ${D}${localstatedir}/lib/softhsm/tokens/${PN}
     install -m 600 -t ${D}${localstatedir}/lib/softhsm/tokens/${PN} ${B}/softhsm2.tokens/*/*
     install -d ${D}${localstatedir}/lib/meta-signing.env.d
-    install -m 644 "${B}/meta-signing.env" ${D}${localstatedir}/lib/meta-signing.env.d/${PN}
+    install -m 600 "${B}/meta-signing.env" ${D}${localstatedir}/lib/meta-signing.env.d/${PN}
 }
 
 signing_prepare() {