Removed sig from global htaccess, create a new one in the config directory at install time which simply does a DenyFromAll, just like private files

.htaccess

@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(sig|engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
+<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$">
   Order allow,deny
 </FilesMatch>
 

core/includes/file.inc

@@ -467,6 +467,7 @@ function file_ensure_htaccess() {
     file_save_htaccess('private://', TRUE);
   }
   file_save_htaccess('temporary://', TRUE);
+  file_save_htaccess(config_get_config_directory(), TRUE);
 }
 
 /**

core/includes/install.core.inc

@@ -1011,6 +1011,11 @@ function install_settings_form_submit($form, &$form_state) {
   if (!file_prepare_directory($config_path, FILE_CREATE_DIRECTORY)) {
     // How best to handle errors here?
   };
+  
+  // Write out a .htaccess file that will protect the config directory from
+  // prying eyes.
+  file_save_htaccess($config_path, TRUE);
+  
   // Indicate that the settings file has been verified, and check the database
   // for the last completed task, now that we have a valid connection. This
   // last step is important since we want to trigger an error if the new