Replace old signing key:
E2B794C7C2C37162E5E2A097E3DB9E282E390FA0

With new one:
CDAC41B9122470FAF357A9D344448A298D5C3618

Public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZLWhshYJKwYBBAHaRw8BAQdAu0sD5Ez8mfroVXpEohGHAeH1H2xduEHsYHkG
IciKHdy0MlN0cmVhbWxpbmsgc2lnbmluZyBrZXkgPHN0cmVhbWxpbmtAcHJvdG9u
bWFpbC5jb20+iJAEExYIADgWIQTNrEG5EiRw+vNXqdNERIopjVw2GAUCZLWhsgIb
AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBERIopjVw2GH2MAQCxW0AG6K8A
P7hUfQHU7eMCBlNxhr1JcCcxl2ajcaOojAD9E+klQNd7VIFH3NcVlw42ADfFGdph
t6uwU8886DclIgO4MwRktaJCFgkrBgEEAdpHDwEBB0CgjJ8c9OXf+00EpqZb6Oxk
hIDDbLJKG04d7eRigLUYt4j1BBgWCAAmFiEEzaxBuRIkcPrzV6nTRESKKY1cNhgF
AmS1okICGwIFCQPCZwAAgQkQRESKKY1cNhh2IAQZFggAHRYhBImk76VlO4meZhF5
mRrrZADton2pBQJktaJCAAoJEBrrZADton2pcMUA/jwTLdeanUFXpaEY1dOkHR3x
skagH/y1TT7r0jIkfRKZAP0dadPIYHcIwm5y8ijs2Th4FRfwTzmKGhLv4hfNRxVD
BK3gAQCl+067glcwcgeWHq0mxhoWTN1oaaMBbQHN423fTs7TjgD/e5Fra1oTLW+I
Acu3T/qLqTiOpSHzlNQOKogPilLU7Q4=
=IEx0
-----END PGP PUBLIC KEY BLOCK-----

Ref #5401

The old signing key was created by @beardypig in 2018. Unfortunately, he never shared the passphrase or the unencrypted private key data with anybody else because we didn't set up proper communication channels back then. Since he apparently misplaced the passphrase and private key, nobody except GitHub is in control of the signing key now, so unless we do some stupid CI shenanigans, we'll need to generate a new one. This also unfortunately means that we can't revoke the old one.

The old one was an RSA4096 signing key and the new one is an ED25519 one with a dedicated sub-key for signing, with an initial expiration time set to 2 years:
89A4EFA5653B899E661179991AEB6400EDA27DA9

$ gpg --keyid-format long -k CDAC41B9122470FAF357A9D344448A298D5C3618 
pub   ed25519/44448A298D5C3618 2023-07-17 [SC]
      CDAC41B9122470FAF357A9D344448A298D5C3618
uid                 [ultimate] Streamlink signing key <streamlink@protonmail.com>
sub   ed25519/1AEB6400EDA27DA9 2023-07-17 [S] [expires: 2025-07-16]

I will publish the public key to a keyserver once I've performed a test release on my GH test account, and I will share the passphrases and private keys of the primary-key and sub-key with the other maintainers, so we won't lose them again. I will do this as soon as I get the time in the next couple of days.

Similar to the storage of the old signing key, the new one is encrypted symmetrically via AES256. The decrypted signing key itself doesn't have a passphrase, because initially its passphrase was the same as the primary-key (which we certainly don't want) and setting a different one is problematic too, because gpg uses a weaker encryption for key storage (which can't be changed for some reason) and there's no point using that or having two encryption layers.

The build-and-sign script has been updated and it now writes the decrypted signing key file to the system's tmpfs instead of storing it in the git repo, like the old script did. I don't think that was a good idea, because the decrypted signing key could be read on a developer's system by anyone else at any time after running the signing script locally once.

Since GitHub apparently doesn't like showing diffs when a binary file gets turned into a text file (it's now stored as base64 data), I renamed the encrypted signing key file from signing.key.gpg to signing.key.enc.

I also decided to use a different secret env var on GitHub actions, so the old one can be kept, just in case.
New: SIGNING_KEY_PASSPHRASE
Old: RELEASE_KEY_PASSPHRASE

Local tests worked fine, btw:

$ SIGNING_KEY_ID=1AEB6400EDA27DA9 SIGNING_KEY_PASSPHRASE='...' ./script/build-and-sign.sh
...

$ gpg --verify ./dist/streamlink-5.5.1+114.g86698437.tar.gz.asc 
gpg: assuming signed data in './dist/streamlink-5.5.1+114.g86698437.tar.gz'
gpg: Signature made 2023-07-18T00:12:18 CEST
gpg:                using EDDSA key 89A4EFA5653B899E661179991AEB6400EDA27DA9
gpg: Good signature from "Streamlink signing key <streamlink@protonmail.com>" [ultimate]

TODO

• Test release
• Add SIGNING_KEY_PASSPHRASE
• Publish public key to keyserver(s)
• Share private key data