stripe-cli | A command-line tool for Stripe | Ecommerce library

• Publishable keys are used by client-side code such as Stripe.js to hit public APIs, mostly to tokenize card information. This prevents you from being exposed to raw card info and incurring a significant PCI compliance burden.
• Secret keys are the API keys you use server-side to make API calls to the Stripe API. Secret API keys must be kept secure and should be treated like a password to your account, as they can perform many critical functions like creating payments, issuing refunds, and more.
• Restricted keys are similar to secret keys, but they have reduced permissions that you define in the Stripe Dashboard.
• Webhook signing secrets are used by your webhook endpoint code to verify the events sent to that code are actually from Stripe and not someone else pretending to be Stripe.

You can read more about publishable, secret, and restricted API keys in Stripe's documentation on API keys.

since there is no Stripe CLI running in prod, is the webhook_signing_secret the same as the secret_key? (event is not forwarded through the CLI)

No, they are completely different and used for different things.

why can't the Stripe CLI create an event with the signing secret encoded? it has already the publishable_key and secret_keys configured, why does it need a new one?

Including the webhook signing secret in the event would defeat the purpose, prevent the security measure from working, and not be representative of how things work in production.