Skip to content

build: set signing key expiration to 2027-05-08 #6526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

build: set signing key expiration to 2027-05-08 #6526

wants to merge 1 commit into from

Conversation

bastimeyer
Copy link
Member

Resolves #6524

This updates the expiration date of Streamlink's signing key from 2025-07-16T20:19:14Z to 2027-05-08T14:09:37 CEST.

Similar to #5449, signing.key.enc includes the passwordless secret signing subkey 89A4EFA5653B899E661179991AEB6400EDA27DA9 of CDAC41B9122470FAF357A9D344448A298D5C3618, symmetrically encrypted using AES256 with the previously used passphrase SIGNING_KEY_PASSPHRASE.

New public key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZLWhshYJKwYBBAHaRw8BAQdAu0sD5Ez8mfroVXpEohGHAeH1H2xduEHsYHkG
IciKHdy0MlN0cmVhbWxpbmsgc2lnbmluZyBrZXkgPHN0cmVhbWxpbmtAcHJvdG9u
bWFpbC5jb20+iJAEExYIADgWIQTNrEG5EiRw+vNXqdNERIopjVw2GAUCZLWhsgIb
AwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBERIopjVw2GH2MAQCxW0AG6K8A
P7hUfQHU7eMCBlNxhr1JcCcxl2ajcaOojAD9E+klQNd7VIFH3NcVlw42ADfFGdph
t6uwU8886DclIgO4MwRktaJCFgkrBgEEAdpHDwEBB0CgjJ8c9OXf+00EpqZb6Oxk
hIDDbLJKG04d7eRigLUYt4j1BBgWCAAmAhsCFiEEzaxBuRIkcPrzV6nTRESKKY1c
NhgFAmgcnwMFCQcpY8EAgXYgBBkWCAAdFiEEiaTvpWU7iZ5mEXmZGutkAO2ifakF
AmS1okIACgkQGutkAO2ifalwxQD+PBMt15qdQVeloRjV06QdHfGyRqAf/LVNPuvS
MiR9EpkA/R1p08hgdwjCbnLyKOzZOHgVF/BPOYoaEu/iF81HFUMECRBERIopjVw2
GBldAP9Wkv1Zm5p54O6fZWrfWSvePgl+Kkt9MHncDmOAk2FlVAEA5M3DpA/Qfwn0
gLp/mRYkp/sAXKENh0T8zLukVTJnhg0=
=n4kH
-----END PGP PUBLIC KEY BLOCK-----

This will be published on the keyservers once this PR has been merged.

I'm going to double check everything first again though, but I'll do this later. In case I made a mistake, this data will obviously change.

Verifying that the old and newly generated signatures using the old and new pub keys work...

Building new release assets and signing them (in addition to re-signing the 7.3.0 release):

$ SIGNING_KEY_ID=1AEB6400EDA27DA9 SIGNING_KEY_PASSPHRASE='...' ./script/build-and-sign.sh
...

Testing old pubkey (in my main keyring):

$ gpg --keyid-format long --list-keys 44448A298D5C3618
pub   ed25519/44448A298D5C3618 2023-07-17 [SC]
      CDAC41B9122470FAF357A9D344448A298D5C3618
uid                 [ultimate] Streamlink signing key <[email protected]>
sub   ed25519/1AEB6400EDA27DA9 2023-07-17 [S] [expires: 2025-07-16]

# New signature from new build using the build-script
$ gpg --verify ./dist/streamlink-7.3.0+7.g655da0f1.dirty.tar.gz.asc 
gpg: assuming signed data in './dist/streamlink-7.3.0+7.g655da0f1.dirty.tar.gz'
gpg: Signature made 2025-05-08T14:41:36 CEST
gpg:                using EDDSA key 89A4EFA5653B899E661179991AEB6400EDA27DA9
gpg: Good signature from "Streamlink signing key <[email protected]>" [ultimate]

# New signature from updated signing key on the 7.3.0 release
$ gpg --verify ~/streamlink-7.3.0.tar.gz{.asc.NEW,}
gpg: Signature made 2025-05-08T14:27:40 CEST
gpg:                using EDDSA key 89A4EFA5653B899E661179991AEB6400EDA27DA9
gpg: Good signature from "Streamlink signing key <[email protected]>" [ultimate]

# Old signature on the 7.3.0 release (obviously works)
$ gpg --verify ~/streamlink-7.3.0.tar.gz{.asc.OLD,}
gpg: Signature made 2025-04-26T21:09:27 CEST
gpg:                using EDDSA key 89A4EFA5653B899E661179991AEB6400EDA27DA9
gpg: Good signature from "Streamlink signing key <[email protected]>" [ultimate]

Testing the updated pubkey in a temp keyring (imported from the other temp keyring where I updated the expiration date - trust level not set, hence the warnings):

$ gpg --homedir . --keyid-format long --list-keys 
/tmp/gpgpub/pubring.kbx
-----------------------
pub   ed25519/44448A298D5C3618 2023-07-17 [SC]
      CDAC41B9122470FAF357A9D344448A298D5C3618
uid                 [ unknown] Streamlink signing key <[email protected]>
sub   ed25519/1AEB6400EDA27DA9 2023-07-17 [S] [expires: 2027-05-08]

# New signature from new build using the build-script
$ gpg --homedir . --verify ~/repos/streamlink/dist/streamlink-7.3.0+7.g655da0f1.dirty.tar.gz.asc 
gpg: assuming signed data in '/home/basti/repos/streamlink/dist/streamlink-7.3.0+7.g655da0f1.dirty.tar.gz'
gpg: Signature made 2025-05-08T14:41:36 CEST
gpg:                using EDDSA key 89A4EFA5653B899E661179991AEB6400EDA27DA9
gpg: Good signature from "Streamlink signing key <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CDAC 41B9 1224 70FA F357  A9D3 4444 8A29 8D5C 3618
     Subkey fingerprint: 89A4 EFA5 653B 899E 6611  7999 1AEB 6400 EDA2 7DA9

# New signature on the 7.3.0 release (obviously works)
$ gpg --homedir . --verify ~/streamlink-7.3.0.tar.gz{.asc.NEW,}
gpg: Signature made 2025-05-08T14:27:40 CEST
gpg:                using EDDSA key 89A4EFA5653B899E661179991AEB6400EDA27DA9
gpg: Good signature from "Streamlink signing key <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CDAC 41B9 1224 70FA F357  A9D3 4444 8A29 8D5C 3618
     Subkey fingerprint: 89A4 EFA5 653B 899E 6611  7999 1AEB 6400 EDA2 7DA9

# Old signature on the 7.3.0 release
$ gpg --homedir . --verify ~/streamlink-7.3.0.tar.gz{.asc.OLD,}
gpg: Signature made 2025-04-26T21:09:27 CEST
gpg:                using EDDSA key 89A4EFA5653B899E661179991AEB6400EDA27DA9
gpg: Good signature from "Streamlink signing key <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: CDAC 41B9 1224 70FA F357  A9D3 4444 8A29 8D5C 3618
     Subkey fingerprint: 89A4 EFA5 653B 899E 6611  7999 1AEB 6400 EDA2 7DA9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
build config packages
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Renew/extend signing key (expires 2025-07-16)
1 participant
@bastimeyer