From adefcd9682cdd0b1cd10c3158c19447b566df6cb Mon Sep 17 00:00:00 2001
From: Josh Wretlind <jwretlin@gmail.com>
Date: Tue, 17 Feb 2026 14:27:48 -0700
Subject: [PATCH 1/3] Fix keyfile permissions

---
 build/ps-entry.sh | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/build/ps-entry.sh b/build/ps-entry.sh
index 1a55a1b262..8f57fc2eed 100755
--- a/build/ps-entry.sh
+++ b/build/ps-entry.sh
@@ -19,6 +19,7 @@ if [[ $originalArgOne == mongo* ]] && [ "$(id -u)" = '0' ]; then
 	chown --dereference mongodb "/proc/$$/fd/1" "/proc/$$/fd/2" || :
 	# ignore errors thanks to https://github.com/docker-library/mongo/issues/149
 
+
 	exec gosu mongodb:1001 "${BASH_SOURCE[0]}" "$@"
 fi
 
@@ -460,6 +461,30 @@ if [[ $originalArgOne == mongo* ]]; then
 		if [ -f "${LDAP_SSL_DIR}/ca.crt" ]; then
 			echo "TLS_CACERT ${LDAP_SSL_DIR}/ca.crt" >/etc/openldap/ldap.conf
 		fi
+
+		ls -l /etc/mongodb-secrets
+	fi
+
+	keyFilePath=""
+	if _mongod_hack_have_arg --keyFile "${mongodHackedArgs[@]}"; then
+		keyFilePath="$(_mongod_hack_get_arg_val --keyFile "${mongodHackedArgs[@]}")"
+	elif _parse_config "${mongodHackedArgs[@]}"; then
+		keyFilePath="$(jq -r '.security.keyFile // empty' "$jsonConfigFile")"
+	fi
+
+	if [ -n "$keyFilePath" ] && [ -f "$keyFilePath" ]; then
+		keyFileTmp="${TMPDIR:-/tmp}/mongodb-keyfile"
+		if [ "$keyFilePath" != "$keyFileTmp" ]; then
+			if ! cp -f "$keyFilePath" "$keyFileTmp"; then
+				echo >&2 "error: failed to copy keyFile from $keyFilePath to $keyFileTmp"
+				exit 1
+			fi
+		fi
+		if ! chmod 0400 "$keyFileTmp"; then
+			echo >&2 "error: failed to chmod keyFile $keyFileTmp"
+			exit 1
+		fi
+		_mongod_hack_ensure_arg_val --keyFile "$keyFileTmp" "${mongodHackedArgs[@]}"
 	fi
 
 	if [ "$MONGODB_VERSION" != 'v4.0' ]; then

From e11f3fd93215ca098ffae7c7466a8f1ba09e9de2 Mon Sep 17 00:00:00 2001
From: Josh Wretlind <jwretlin@gmail.com>
Date: Tue, 17 Feb 2026 14:30:25 -0700
Subject: [PATCH 2/3] Remove extra debug line

---
 build/ps-entry.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/build/ps-entry.sh b/build/ps-entry.sh
index 8f57fc2eed..21da508ed4 100755
--- a/build/ps-entry.sh
+++ b/build/ps-entry.sh
@@ -461,8 +461,6 @@ if [[ $originalArgOne == mongo* ]]; then
 		if [ -f "${LDAP_SSL_DIR}/ca.crt" ]; then
 			echo "TLS_CACERT ${LDAP_SSL_DIR}/ca.crt" >/etc/openldap/ldap.conf
 		fi
-
-		ls -l /etc/mongodb-secrets
 	fi
 
 	keyFilePath=""

From f5ae072189a79bc6168dd347d45440b57779decc Mon Sep 17 00:00:00 2001
From: joshWretlind <jwretlin@gmail.com>
Date: Tue, 17 Feb 2026 14:38:28 -0700
Subject: [PATCH 3/3] Update build/ps-entry.sh

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
---
 build/ps-entry.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/build/ps-entry.sh b/build/ps-entry.sh
index 21da508ed4..fce992158f 100755
--- a/build/ps-entry.sh
+++ b/build/ps-entry.sh
@@ -19,7 +19,6 @@ if [[ $originalArgOne == mongo* ]] && [ "$(id -u)" = '0' ]; then
 	chown --dereference mongodb "/proc/$$/fd/1" "/proc/$$/fd/2" || :
 	# ignore errors thanks to https://github.com/docker-library/mongo/issues/149
 
-
 	exec gosu mongodb:1001 "${BASH_SOURCE[0]}" "$@"
 fi