diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index ffb357ecd6..5c5e056d21 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3262,7 +3262,8 @@ def make_disk(
 
 def make_oci(context: Context, root_layer: Path, dst: Path) -> None:
     ca_store = dst / "blobs" / "sha256"
-    ca_store.mkdir(parents=True)
+    with umask(~0o755):
+        ca_store.mkdir(parents=True)
 
     layer_diff_digest = hash_file(root_layer)
     maybe_compress(
@@ -3307,7 +3308,8 @@ def make_oci(context: Context, root_layer: Path, dst: Path) -> None:
     }
     oci_config_blob = json.dumps(oci_config)
     oci_config_digest = hashlib.sha256(oci_config_blob.encode()).hexdigest()
-    (ca_store / oci_config_digest).write_text(oci_config_blob)
+    with umask(~0o644):
+        (ca_store / oci_config_digest).write_text(oci_config_blob)
 
     layer_suffix = context.config.compress_output.oci_media_type_suffix()
     oci_manifest = {
@@ -3334,26 +3336,26 @@ def make_oci(context: Context, root_layer: Path, dst: Path) -> None:
     }
     oci_manifest_blob = json.dumps(oci_manifest)
     oci_manifest_digest = hashlib.sha256(oci_manifest_blob.encode()).hexdigest()
-    (ca_store / oci_manifest_digest).write_text(oci_manifest_blob)
+    with umask(~0o644):
+        (ca_store / oci_manifest_digest).write_text(oci_manifest_blob)
 
-    with (dst / "index.json").open("w") as f:
-        json.dump(
-            {
-                "schemaVersion": 2,
-                "mediaType": "application/vnd.oci.image.index.v1+json",
-                "manifests": [
-                    {
-                        "mediaType": "application/vnd.oci.image.manifest.v1+json",
-                        "digest": f"sha256:{oci_manifest_digest}",
-                        "size": (ca_store / oci_manifest_digest).stat().st_size,
-                    }
-                ],
-            },
-            f,
+        (dst / "index.json").write_text(
+            json.dumps(
+                {
+                    "schemaVersion": 2,
+                    "mediaType": "application/vnd.oci.image.index.v1+json",
+                    "manifests": [
+                        {
+                            "mediaType": "application/vnd.oci.image.manifest.v1+json",
+                            "digest": f"sha256:{oci_manifest_digest}",
+                            "size": (ca_store / oci_manifest_digest).stat().st_size,
+                        }
+                    ],
+                }
+            )
         )
 
-    with (dst / "oci-layout").open("w") as f:
-        json.dump({"imageLayoutVersion": "1.0.0"}, f)
+        (dst / "oci-layout").write_text(json.dumps({"imageLayoutVersion": "1.0.0"}))
 
 
 def make_esp(context: Context, uki: Path) -> list[Partition]: