build: new Streamlink signing key 44448A298D5C3618 #5449
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Replace old signing key:
E2B794C7C2C37162E5E2A097E3DB9E282E390FA0
With new one:
CDAC41B9122470FAF357A9D344448A298D5C3618
Public key:
Ref #5401
The old signing key was created by @beardypig in 2018. Unfortunately, he never shared the passphrase or the unencrypted private key data with anybody else because we didn't set up proper communication channels back then. Since he apparently misplaced the passphrase and private key, nobody except GitHub is in control of the signing key now, so unless we do some stupid CI shenanigans, we'll need to generate a new one. This also unfortunately means that we can't revoke the old one.
The old one was an RSA4096 signing key and the new one is an ED25519 one with a dedicated sub-key for signing, with an initial expiration time set to 2 years:
89A4EFA5653B899E661179991AEB6400EDA27DA9
I will publish the public key to a keyserver once I've performed a test release on my GH test account, and I will share the passphrases and private keys of the primary-key and sub-key with the other maintainers, so we won't lose them again. I will do this as soon as I get the time in the next couple of days.
Similar to the storage of the old signing key, the new one is encrypted symmetrically via AES256. The decrypted signing key itself doesn't have a passphrase, because initially its passphrase was the same as the primary-key (which we certainly don't want) and setting a different one is problematic too, because gpg uses a weaker encryption for key storage (which can't be changed for some reason) and there's no point using that or having two encryption layers.
The build-and-sign script has been updated and it now writes the decrypted signing key file to the system's tmpfs instead of storing it in the git repo, like the old script did. I don't think that was a good idea, because the decrypted signing key could be read on a developer's system by anyone else at any time after running the signing script locally once.
Since GitHub apparently doesn't like showing diffs when a binary file gets turned into a text file (it's now stored as base64 data), I renamed the encrypted signing key file from
signing.key.gpg
tosigning.key.enc
.I also decided to use a different secret env var on GitHub actions, so the old one can be kept, just in case.
New:
SIGNING_KEY_PASSPHRASE
Old:
RELEASE_KEY_PASSPHRASE
Local tests worked fine, btw:
TODO
SIGNING_KEY_PASSPHRASE