--- tang-7.ori/src/tangd-keygen	2017-06-10 15:29:39.000000000 +0200
+++ tang-7/src/tangd-keygen	2023-06-28 11:40:01.700819479 +0200
@@ -27,6 +27,8 @@
 
 [ $# -eq 3 ] && sig=$2 && exc=$3
 
+# Set default umask for file creation.
+umask 0337
 jwe=`jose jwk gen -i '{"alg":"ES512"}'`
 [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
 echo "$jwe" > $1/$sig.jwk
--- tang-7.ori/src/keys.c	2023-06-28 09:57:08.706712410 +0200
+++ tang-7/src/keys.c	2023-06-28 11:43:41.742247417 +0200
@@ -23,6 +23,7 @@
 #include <jose/io.h>
 #include <jansson.h>
 #include <string.h>
+#include <sys/stat.h>
 
 #include "util.h"
 #include "keys.h"
@@ -557,6 +558,9 @@
     /* At this point, there are no keys, so let's create them. */
     const char *alg[] = {"ES512", "ECMR", NULL};
     char path[PATH_MAX];
+
+    /* Set default umask for file creation. */
+    umask(0337);
     for (int i = 0; alg[i] != NULL; i++) {
         struct tang_jwk *jwk __attribute__((cleanup(cleanup_tang_jwk))) = generate_new_tang_jwk(alg[i]);
         if (!jwk) {