From ddabe81dd8b4c8a8e9ab2502d93cc52dece44e10 Mon Sep 17 00:00:00 2001
From: MickLesk <mickey.leskowitz@gmail.com>
Date: Thu, 12 Feb 2026 22:24:24 +0100
Subject: [PATCH] fix(tools.func): set GPG keyring files to 644 permissions

gpg --dearmor creates files with restrictive permissions (600),
which prevents Debian 13's sqv signature verifier from reading
the keyring files. This causes apt update to fail with
'Permission denied' errors for all repositories using custom
GPG keys (adoptium, pgdg, pdm, etc.).

Set chmod 644 after creating .gpg files in both setup_deb822_repo()
and the MongoDB GPG key import in manage_tool_repository().
---
 misc/tools.func | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/misc/tools.func b/misc/tools.func
index 48d529361..3eb650aca 100644
--- a/misc/tools.func
+++ b/misc/tools.func
@@ -465,6 +465,7 @@ manage_tool_repository() {
       msg_error "Failed to download MongoDB GPG key"
       return 1
     fi
+    chmod 644 "/etc/apt/keyrings/mongodb-server-${version}.gpg"
 
     # Setup repository
     local distro_codename
@@ -1319,6 +1320,7 @@ setup_deb822_repo() {
     }
   fi
   rm -f "$tmp_gpg"
+  chmod 644 "/etc/apt/keyrings/${name}.gpg"
 
   # Write deb822
   {