Skip to content

build: new Streamlink signing key 44448A298D5C3618 #5449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

bastimeyer
Copy link
Member

@bastimeyer bastimeyer commented Jul 17, 2023

Replace old signing key:
E2B794C7C2C37162E5E2A097E3DB9E282E390FA0

With new one:
CDAC41B9122470FAF357A9D344448A298D5C3618


Public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZLWhshYJKwYBBAHaRw8BAQdAu0sD5Ez8mfroVXpEohGHAeH1H2xduEHsYHkG
IciKHdy0MlN0cmVhbWxpbmsgc2lnbmluZyBrZXkgPHN0cmVhbWxpbmtAcHJvdG9u
bWFpbC5jb20+iJAEExYIADgWIQTNrEG5EiRw+vNXqdNERIopjVw2GAUCZLWhsgIb
AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBERIopjVw2GH2MAQCxW0AG6K8A
P7hUfQHU7eMCBlNxhr1JcCcxl2ajcaOojAD9E+klQNd7VIFH3NcVlw42ADfFGdph
t6uwU8886DclIgO4MwRktaJCFgkrBgEEAdpHDwEBB0CgjJ8c9OXf+00EpqZb6Oxk
hIDDbLJKG04d7eRigLUYt4j1BBgWCAAmFiEEzaxBuRIkcPrzV6nTRESKKY1cNhgF
AmS1okICGwIFCQPCZwAAgQkQRESKKY1cNhh2IAQZFggAHRYhBImk76VlO4meZhF5
mRrrZADton2pBQJktaJCAAoJEBrrZADton2pcMUA/jwTLdeanUFXpaEY1dOkHR3x
skagH/y1TT7r0jIkfRKZAP0dadPIYHcIwm5y8ijs2Th4FRfwTzmKGhLv4hfNRxVD
BK3gAQCl+067glcwcgeWHq0mxhoWTN1oaaMBbQHN423fTs7TjgD/e5Fra1oTLW+I
Acu3T/qLqTiOpSHzlNQOKogPilLU7Q4=
=IEx0
-----END PGP PUBLIC KEY BLOCK-----

Ref #5401

The old signing key was created by @beardypig in 2018. Unfortunately, he never shared the passphrase or the unencrypted private key data with anybody else because we didn't set up proper communication channels back then. Since he apparently misplaced the passphrase and private key, nobody except GitHub is in control of the signing key now, so unless we do some stupid CI shenanigans, we'll need to generate a new one. This also unfortunately means that we can't revoke the old one.

The old one was an RSA4096 signing key and the new one is an ED25519 one with a dedicated sub-key for signing, with an initial expiration time set to 2 years:
89A4EFA5653B899E661179991AEB6400EDA27DA9

$ gpg --keyid-format long -k CDAC41B9122470FAF357A9D344448A298D5C3618 
pub   ed25519/44448A298D5C3618 2023-07-17 [SC]
      CDAC41B9122470FAF357A9D344448A298D5C3618
uid                 [ultimate] Streamlink signing key <streamlink@protonmail.com>
sub   ed25519/1AEB6400EDA27DA9 2023-07-17 [S] [expires: 2025-07-16]

I will publish the public key to a keyserver once I've performed a test release on my GH test account, and I will share the passphrases and private keys of the primary-key and sub-key with the other maintainers, so we won't lose them again. I will do this as soon as I get the time in the next couple of days.


Similar to the storage of the old signing key, the new one is encrypted symmetrically via AES256. The decrypted signing key itself doesn't have a passphrase, because initially its passphrase was the same as the primary-key (which we certainly don't want) and setting a different one is problematic too, because gpg uses a weaker encryption for key storage (which can't be changed for some reason) and there's no point using that or having two encryption layers.

The build-and-sign script has been updated and it now writes the decrypted signing key file to the system's tmpfs instead of storing it in the git repo, like the old script did. I don't think that was a good idea, because the decrypted signing key could be read on a developer's system by anyone else at any time after running the signing script locally once.

Since GitHub apparently doesn't like showing diffs when a binary file gets turned into a text file (it's now stored as base64 data), I renamed the encrypted signing key file from signing.key.gpg to signing.key.enc.

I also decided to use a different secret env var on GitHub actions, so the old one can be kept, just in case.
New: SIGNING_KEY_PASSPHRASE
Old: RELEASE_KEY_PASSPHRASE


Local tests worked fine, btw:

$ SIGNING_KEY_ID=1AEB6400EDA27DA9 SIGNING_KEY_PASSPHRASE='...' ./script/build-and-sign.sh
...

$ gpg --verify ./dist/streamlink-5.5.1+114.g86698437.tar.gz.asc 
gpg: assuming signed data in './dist/streamlink-5.5.1+114.g86698437.tar.gz'
gpg: Signature made 2023-07-18T00:12:18 CEST
gpg:                using EDDSA key 89A4EFA5653B899E661179991AEB6400EDA27DA9
gpg: Good signature from "Streamlink signing key <streamlink@protonmail.com>" [ultimate]

TODO

  • Test release
  • Add SIGNING_KEY_PASSPHRASE
  • Publish public key to keyserver(s)
  • Share private key data

Replace old signing key:
E2B794C7C2C37162E5E2A097E3DB9E282E390FA0

With new one:
CDAC41B9122470FAF357A9D344448A298D5C3618
@bastimeyer
Copy link
Member Author

bastimeyer commented Jul 18, 2023

Should be good to go now.

  1. test release didn't show any issues
  2. new secret env var is set
  3. public key has been uploaded to keyserver.ubuntu.com and keys.openpgp.org
  4. private keys shared

@bastimeyer bastimeyer merged commit ad1b54b into streamlink:master Jul 18, 2023
@bastimeyer bastimeyer deleted the new-signing-key-44448A298D5C3618 branch July 18, 2023 17:32
@bastimeyer bastimeyer mentioned this pull request Jul 18, 2023
8 tasks
@beardypig
Copy link
Member

chagrin emoji

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants