With Russel's patch to nova and defaulting signing_dir to ~/keystone-signing in keystoneclient, I think ttx's first suggestion is covered.
Changing the keystoneclient patch to simply log warnings if the signing_dir's owner or permissions have unexpected values satisfies the second suggestion (see attached, which no longer needs any update to the test framework).
With Russel's patch to nova and defaulting signing_dir to ~/keystone-signing in keystoneclient, I think ttx's first suggestion is covered.
Changing the keystoneclient patch to simply log warnings if the signing_dir's owner or permissions have unexpected values satisfies the second suggestion (see attached, which no longer needs any update to the test framework).