From 09ff0aadf42c2b932d44926b5625b2c8645bc07c Mon Sep 17 00:00:00 2001
From: Jeff Forcier <jeff@bitprophet.org>
Date: Mon, 16 Jan 2023 19:52:31 -0500
Subject: Nuke now extraneous chmod

---
 paramiko/pkey.py        | 2 --
 sites/www/changelog.rst | 8 ++++++++
 tests/test_pkey.py      | 4 +---
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/paramiko/pkey.py b/paramiko/pkey.py
index 1da11298..32d8cad5 100644
--- a/paramiko/pkey.py
+++ b/paramiko/pkey.py
@@ -560,8 +560,6 @@ class PKey:
             # Yea, you still gotta inform the FLO that it is in "write" mode.
             "w",
         ) as f:
-            # TODO 3.0: remove the now redundant chmod
-            os.chmod(filename, o600)
             self._write_private_key(f, key, format, password=password)
 
     def _write_private_key(self, f, key, format, password=None):
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 5e3af1a3..443f0b78 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,14 @@
 Changelog
 =========
 
+- :support:`-` The behavior of private key classes' (ie anything inheriting
+  from `~paramiko.pkey.PKey`)  private key writing methods used to perform a
+  manual, extra ``chmod`` call after writing. This hasn't been strictly
+  necessary since the mid 2.x release line (when key writing started giving the
+  ``mode`` argument to `os.open`), and has now been removed entirely.
+
+  This should only be observable if you were mocking Paramiko's system calls
+  during your own testing, or similar.
 - :support:`-` ``PKey.__cmp__`` has been removed. Ordering-oriented comparison
   of key files is unlikely to have ever made sense (the old implementation
   attempted to order by the hashes of the key material) and so we have not
diff --git a/tests/test_pkey.py b/tests/test_pkey.py
index e2d0a1af..4d74d8aa 100644
--- a/tests/test_pkey.py
+++ b/tests/test_pkey.py
@@ -731,11 +731,9 @@ class KeyTest(unittest.TestCase):
         key.write_private_key_file(new, password=newpassword)
         # Expected open via os module
         os_.open.assert_called_once_with(
-            new, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, o600
+            new, flags=os.O_WRONLY | os.O_CREAT | os.O_TRUNC, mode=o600
         )
         os_.fdopen.assert_called_once_with(os_.open.return_value, "w")
-        # Old chmod still around for backwards compat
-        os_.chmod.assert_called_once_with(new, o600)
         assert (
             key._write_private_key.call_args[0][0]
             == os_.fdopen.return_value.__enter__.return_value
-- 
cgit v1.2.1