SCons: Identify build clearly when using AES256 encryption key

[akien-mga]

It seems to be a common pitfall that users try to build custom templates with a key but somehow it doesn't get picked up as they expect it to.

• See Turning on "Encrypt Index" option in Export window produces binary that can't be launched #80804.

Building for platform "linuxbsd", architecture "x86_64", target "editor".

*** IMPORTANT: Compiling Godot with custom `SCRIPT_AES256_ENCRYPTION_KEY` set as environment variable.
*** Make sure to use templates compiled with this key when exporting a project with encryption.

scons: done reading SConscript files.

@Calinou @bruvzg I suggest adding it to the docs so that users know to look for this message in their build logs when troubleshooting.

I also considered whether to print the value of the key so they can confirm it matches their expectations, but chose not to as it might be considered a security issue to print it in clear (e.g. it may be used on CI with a secret).

[bruvzg]

I wonder if we can auto validate it without making the key even less secure, maybe generate some extra metadata file with key hash and check it during export.

The same can also be used to validate if correct template version is used.

[bruvzg]

Some indication in the build log is useful, probably won't reduce the number of people not building templates much, but can be used for troubleshooting.

[Calinou]

I also considered whether to print the value of the key so they can confirm it matches their expectations, but chose not to as it might be considered a security issue to print it in clear (e.g. it may be used on CI with a secret).

CI services generally perform a string match on logs to redact secrets, but it's not 100% reliable and most CI services recommend not relying on this mechanism.

That said, we could choose to display the first 4 characters so you know you're not using the wrong key (it's 64 characters long, so this only reveals minimal information).