From eba7ab611c18d0ff7acf6f84e460a78fc05509a1 Mon Sep 17 00:00:00 2001
From: Mark Rushakoff <mark.rushakoff@gmail.com>
Date: Fri, 3 Mar 2023 10:32:06 -0500
Subject: [PATCH 1/2] fix(crypto/keyring): disallow non-owner reads of keyhash

The gosec linter has been complaining about this. On one hand, it's just
a hash, but on the other hand, there is no apparent reason it needs to
be readable by anyone other than the owner.

Also use the preexisting keyhashFilePath variable, instead of
concatenating a forward-slash value, which may not work properly on
Windows.
---
 crypto/keyring/keyring.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/keyring/keyring.go b/crypto/keyring/keyring.go
index a1e09ae4c9b3..8610cbf1473d 100644
--- a/crypto/keyring/keyring.go
+++ b/crypto/keyring/keyring.go
@@ -757,7 +757,7 @@ func newRealPrompt(dir string, buf io.Reader) func(string) (string, error) {
 				continue
 			}
 
-			if err := os.WriteFile(dir+"/keyhash", passwordHash, 0o555); err != nil {
+			if err := os.WriteFile(keyhashFilePath, passwordHash, 0o600); err != nil {
 				return "", err
 			}
 

From f2f3ee3bb8e996f2c6bc9e28dd86812f815b3fd9 Mon Sep 17 00:00:00 2001
From: Mark Rushakoff <mark.rushakoff@gmail.com>
Date: Fri, 3 Mar 2023 10:36:51 -0500
Subject: [PATCH 2/2] chore: update changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f6076ea4f6f2..3f15534d1d4b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -154,6 +154,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * [#14995](https://github.com/cosmos/cosmos-sdk/pull/14995) Allow unknown fields in `ParseTypedEvent`.
 * (store) [#14931](https://github.com/cosmos/cosmos-sdk/pull/14931) Exclude in-memory KVStores, i.e. `StoreTypeMemory`, from CommitInfo commitments.
 * (types/coin) [#14739](https://github.com/cosmos/cosmos-sdk/pull/14739) Deprecate the method `Coin.IsEqual` in favour of  `Coin.Equal`. The difference between the two methods is that the first one results in a panic when denoms are not equal. This panic lead to unexpected behavior
+* (x/crypto) [#15258](https://github.com/cosmos/cosmos-sdk/pull/15258) Write keyhash file with permissions 0600 instead of 0555.
 
 ### Deprecated