build: new Streamlink signing key 44448A298D5C3618

Replace old signing key:
E2B794C7C2C37162E5E2A097E3DB9E282E390FA0

With new one:
CDAC41B9122470FAF357A9D344448A298D5C3618

.github/workflows/main.yml

@@ -12,8 +12,6 @@ on:
 
 env:
   STREAMLINK_DIST_DIR: ${{ github.workspace }}/dist
-  SIGNING_KEY_ID: 2E390FA0
-  SIGNING_KEY_FILE: ${{ github.workspace }}/signing.key
 
 jobs:
   test:
@@ -138,7 +136,8 @@ jobs:
         run: make --directory=docs man
       - name: sdist and wheels
         env:
-          RELEASE_KEY_PASSPHRASE: ${{ secrets.RELEASE_KEY_PASSPHRASE }}
+          SIGNING_KEY_ID: 1AEB6400EDA27DA9
+          SIGNING_KEY_PASSPHRASE: ${{ secrets.SIGNING_KEY_PASSPHRASE }}
         run: ./script/build-and-sign.sh
       - name: Github release
         env:

script/build-and-sign.sh

@@ -3,56 +3,81 @@ shopt -s nullglob
 set -e
 
 
-if ! python -m pip -q show "build"; then
-    echo >&2 "build: missing dependency 'build'"
+ROOT=$(git rev-parse --show-toplevel 2>/dev/null || realpath "$(dirname "$(readlink -f "${0}")")/..")
+
+VERSION=$(python setup.py --version)
+DIST=${STREAMLINK_DIST_DIR:-"${ROOT}/dist"}
+
+WHEEL_PLATFORMS=("win32" "win-amd64")
+
+SIGNING_KEY_FILE="${SIGNING_KEY_FILE:-"${ROOT}/signing.key.enc"}"
+
+
+# ----
+
+
+log() {
+    echo >&2 "build: ${@}"
+}
+
+warn() {
+    log "WARNING: ${@}"
+}
+
+err() {
+    log "ERROR: ${@}"
     exit 1
+}
+
+
+# ----
+
+
+if ! python -m pip -q show "build"; then
+    err "Missing python package: build"
 fi
 
 
-KEY_ID=${SIGNING_KEY_ID:-2E390FA0}
-KEY_FILE=${SIGNING_KEY_FILE:-signing.key}
-KEY_FILE_ENC=${KEY_FILE}.gpg
+build() {
+    log "Building Streamlink sdist and generic wheel"
+    python -m build --outdir "${DIST}" --sdist --wheel
 
-version=$(python setup.py --version)
-dist_dir=${STREAMLINK_DIST_DIR:-dist}
+    for platform in "${WHEEL_PLATFORMS[@]}"; do
+        log "Building Streamlink platform-specific wheel for ${platform}"
+        python -m build --outdir "${DIST}" --wheel --config-setting="--build-option=--plat-name=${platform}"
+    done
+}
 
-wheel_platforms_windows=("win32" "win-amd64")
+sign() {
+    [[ -z "${SIGNING_KEY_PASSPHRASE}" ]] && { warn "Empty SIGNING_KEY_PASSPHRASE, not signing built files"; exit; }
+    [[ -z "${SIGNING_KEY_ID}" ]] && err "Missing SIGNING_KEY_ID"
 
-mkdir -p "${dist_dir}"
+    local tmp=$(mktemp -d) && trap "rm -rf ${tmp}" EXIT || exit 255
 
-echo >&2 "build: Building Streamlink sdist"
-python -m build --outdir "${dist_dir}" --sdist
-
-echo >&2 "build: Building Streamlink wheel"
-python -m build --outdir "${dist_dir}" --wheel
-
-for platform in "${wheel_platforms_windows[@]}"; do
-    echo >&2 "build: Building Streamlink wheel (${platform})"
-    python -m build --outdir "${dist_dir}" --wheel --config-setting="--build-option=--plat-name=${platform}"
-done
-
-
-if [[ "${CI}" = true ]] || [[ -n "${GITHUB_ACTIONS}" ]]; then
-    echo >&2 "build: Decrypting signing key"
-    gpg --quiet --batch --yes --decrypt \
+    log "Decrypting signing key"
+    gpg --quiet \
+        --batch \
+        --yes \
+        --decrypt \
         --passphrase-fd 0 \
-        --output "${KEY_FILE}" \
-        "${KEY_FILE_ENC}" \
-        <<< "${RELEASE_KEY_PASSPHRASE}"
-fi
+        --output "${tmp}/signing.key" \
+        "${SIGNING_KEY_FILE}" \
+        <<< "${SIGNING_KEY_PASSPHRASE}"
 
-if ! [[ -f "${KEY_FILE}" ]]; then
-    echo >&2 "warning: No signing key, files not signed"
-else
-    echo >&2 "build: Signing sdist and wheel files"
-    temp_keyring=$(mktemp -d) && trap "rm -rf ${temp_keyring}" EXIT || exit 255
-    gpg --homedir "${temp_keyring}" --import "${KEY_FILE}" 2>&1 >/dev/null
-    for file in "${dist_dir}"/streamlink-"${version}"{.tar.gz,-*.whl}; do
-        gpg --homedir "${temp_keyring}" \
+    log "Signing sdist and wheel files"
+    gpg --homedir "${tmp}" --import "${tmp}/signing.key" 2>&1 >/dev/null
+    for file in "${DIST}"/streamlink-"${VERSION}"{.tar.gz,-*.whl}; do
+        gpg --homedir "${tmp}" \
             --trust-model always \
-            --default-key "${KEY_ID}" \
+            --default-key "${SIGNING_KEY_ID}" \
             --detach-sign \
             --armor \
+            --yes \
             "${file}"
     done
-fi
+}
+
+
+mkdir -p "${DIST}"
+build
+sign

signing.key.enc

@@ -0,0 +1,21 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMCHJNSx1Ed2Z7/0ukB+kQLJuRWVwbcI9TH0uMWP8HONJ6OZ8Nl22qoZGSI
+qMFCbJAaKDu9jVze7FjV+k2K4nCIY+lHeyN3O3JDrH/MXX7N1N114ZFAhqxtUY95
+HXT/F0M6++eR10gkhktvS8+ZVNp1tJJ8YlrTbdB4tQKHOWoL/4HkJpAExNl/PMur
+rl+enmJfjmDHwPM143CXyR/qBMYU7gE05tTYg6L2yaIcBlWDXBmJ6nRbVNvn6H0O
+wW+Nnou9msVu5hAU/Gg8cBvoF4VpsMtLu4gUgs5uGeflUW3KkTODVgfeYyDDoZF4
+Xb/apZe4ed/5dYuwGNwnxi3L8gaZJL6j0IvTgYbGbE/9PRC39CWTAwhj4N5sR6ul
+fIzphW9s/DfUkmvApQV3rIQ9PRakPniDniGv1CuVtgv2x6juKz+w0XUXHGvlEfcW
+VhvSN107+B7qucy4l8JIn1T1y8cjKF2U6LMVImqVir/nPWeugb7MaclpVdSkJzf3
+3oaYIwz/6PjowAbbrHbcR70CSogvR0yXNirorQ+b/j0oxJpiW/05i1Uu3vy3DTMH
+eTEQHukdj45IPYNzNzkIWtX0WMQx2CPvUPybZXx7DvwgNFLVlAr+3N1iqyPdICpt
+wbZ4D8NCZDcBgV3/9mzdZ9Xu0Ul8B7ufxkuJDusmjwcl/ngcVYTHiMgyHnz+tx+b
+csAxFZj4DoaVYWCR/vS3EujD7LBI69RQ9Mo1pXvBf0wG93S9VT5V0xBiCKtVP15O
+1vBv3PD1YPu3EzkMn3wj3W30wjhkzC5lSnqBpfRqfOWRgJlKxcRvOO/FjWqA2E/+
+wcPNOcy826pSLwLqw37a3GuoaIYxn0873wzB8aA9hC3lBJDIA1lWBjG8mAKjdYJ1
+kc/lRfbcHH1GKmf6BgmJNCfow+HdROBaUHTzNg4WE0Lqabv6RwCTMxaSTasSANCY
+twB+ugPZvc/fj6+HYG6h1rIkWi7OQKsa+6Dsc+0ib/UyFQdVMFkjL5td1E6zhz2U
+oLsbdQ==
+=rSZZ
+-----END PGP MESSAGE-----