Description
When adding a repo using pkgrepo.managed the keys are being saved /usr/share/keyrings/ with too restrictive permissions on systems harden with a default UMASK of 077.

Setup
(Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)

Please be as specific as possible and give set-up details.

• [ X ] on-prem machine
• [ X ] VM (VMWare)
• VM running on a cloud service, please be explicit and add details
• container (Kubernetes, Docker, containerd, etc. please specify)
• or a combination, please be explicit
• jails if it is FreeBSD
• classic packaging
• [ X ] onedir packaging
• used bootstrap to install

Steps to Reproduce the behavior
I'm using the Microsoft Defender repo in my examples below, but it happens with all repo's we add.

Hardened environment by adding the following in /etc/login.defs.

UMASK 077

Unclear if a restart of the salt-minion and/or reboot of the system is required to take effect.

Execute a state file containing the following...

install_mdatp_repo:
  pkgrepo.managed:
  - aptkey: False
  - humanname: Microsoft Defender Repository
  - name: deb [arch=amd64,armhf,arm64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/{{ grains['os'] | lower }}/{{ grains['lsb_distrib_release'] }}/prod {{ grains['oscodename'] | lower }} main
  - dist: {{ grains['oscodename'] | lower }}
  - file: /etc/apt/sources.list.d/microsoft-prod.list
  - key_url: https://packages.microsoft.com/keys/microsoft.asc
  - refresh: true
  - refresh_db: true

This results in (among other things) two files being generated...

# ll /etc/apt/sources.list.d/microsoft-prod.list
-rw------- 1 root root 133 Jul 19 14:55 /etc/apt/sources.list.d/microsoft-prod.list

# # ll /usr/share/keyrings/microsoft.gpg
-rw-------   1 root root  641 Jul 19 14:55 microsoft.gpg

The restrictive permissions on /etc/apt/sources.list.d/microsoft-prod.list don't seem to cause any problems. I've been unable to find any recommended permissions for source files.

However, the restrictive permissions on /usr/share/keyrings/microsoft.gpg causes apt-get update to fail with the error...

Err:X https://packages.microsoft.com/ubuntu/22.04/prod jammy InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF

https://manpages.ubuntu.com/manpages/noble/en/man5/sources.list.5.html states that ...

keyring files have to be accessible and readable for the _apt system user, so ensure everyone has read-permissions on the file

Once I manually grant read access to the key for all users (chmod a+r /usr/share/keyrings/microsoft.gpg) I'm able at apt-get update without any errors,

# ll /usr/share/keyrings/microsoft.gpg
-rw-r--r-- 1 root root 641 Jul 19 14:55 /usr/share/keyrings/microsoft.gpg

Expected behaviour

Create key files with readable by all permissions.

# ll /usr/share/keyrings/microsoft.gpg
-rw-r--r-- 1 root root 641 Jul 19 14:55 /usr/share/keyrings/microsoft.gpg

Versions Report

Salt Version:
          Salt: 3007.1

Python Version:
        Python: 3.10.14 (main, Apr  3 2024, 21:30:09) [GCC 11.2.0]

Dependency Versions:
          cffi: 1.16.0
      cherrypy: 18.8.0
      dateutil: 2.8.2
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: Not Installed
  looseversion: 1.3.0
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.7
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 23.1
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.5.2
        PyYAML: 6.0.1
         PyZMQ: 25.1.2
        relenv: 0.16.0
         smmap: Not Installed
       timelib: 0.3.0
       Tornado: 6.3.3
           ZMQ: 4.3.4

Salt Package Information:
  Package Type: onedir

System Versions:
          dist: ubuntu 22.04.4 jammy
        locale: utf-8
       machine: x86_64
       release: 5.15.0-116-generic
        system: Linux
       version: Ubuntu 22.04.4 jammy