oscal-cli icon indicating copy to clipboard operation
oscal-cli copied to clipboard
verified publisher icon usnistgov

expired GPG key

Open DanielRuf opened this issue 2 months ago • 4 comments

Describe the bug

The GPG key has expired.

Who is the bug affecting?

Anyone installing cli-core-1.0.1

What is affected by this bug?

cli-core-1.0.1 verification

How do we replicate the issue?

sudo gpg --keyserver hkps://pgp.mit.edu:443 --recv-keys 6387E83B4828A504
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 6387E83B4828A504: public key "NIST OSCAL Release Engineering <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1


$ sudo gpg --verify cli-core-1.0.1-oscal-cli.zip.asc
gpg: assuming signed data in 'cli-core-1.0.1-oscal-cli.zip'
gpg: Signature made Thu Aug 17 19:37:40 2023 CEST
gpg:                using RSA key ED3228AA14A7C25DE351F9E761D9AEB515413C8C
gpg: Good signature from "NIST OSCAL Release Engineering <[email protected]>" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 9303 9065 D1E7 E945 4071  511D 6387 E83B 4828 A504
     Subkey fingerprint: ED32 28AA 14A7 C25D E351  F9E7 61D9 AEB5 1541 3C8C

{What are the steps to reproduce the behavior?

  1. Follow the steps in the readme

DanielRuf avatar Oct 06 '25 16:10 DanielRuf

Probably related: https://github.com/usnistgov/oscal-cli/issues/182

DanielRuf avatar Oct 06 '25 16:10 DanielRuf

Unfortunately, oscal-cli v 1.0.1 was sunset. Currently, per latest change in NIST policy and due to reduce resources, our team no longer releases the tool. The team provided guidance for anyone to build their own version based on the OSCAL release version of choice.

When US Government will reopen, we will do our best to fix the identified bugs as fast as feasible.

iMichaela avatar Oct 06 '25 19:10 iMichaela

Hi @iMichaela,

thanks for the swift reply.

Unfortunately, oscal-cli v 1.0.1 was sunset.

That is a bit unfortunate. Besides that, how can we know the current state? Neither the readme does not mention that it was sunset nor the repo is archived (which makes it readonly).

So far I have found https://github.com/metaschema-framework/oscal-cli, which seems to be an actively maintained fork / successor according to the description at https://github.com/oscal-club/oscal-cli-action:

A GitHub Action to process, convert, and validate OSCAL content with the oscal-cli that the metaschema-framework community maintains or the original NIST version of the tool.

I have read in the news about the shutdown, but was not really aware of the consequences on NIST in this case.

When US Government will reopen, we will do our best to fix the identified bugs as fast as feasible.

Thanks for taking care of this then.

DanielRuf avatar Oct 06 '25 19:10 DanielRuf

Just to make it a bit clearer (for other readers): the version 1.0.1 is still mentioned in the steps in the readme (main branch, which is the default).

Without directly knowing the new key ID (expired one is 6387E83B4828A504), users can not verify the integrity or follow the steps with the 1.0.3 release.

Looking at https://github.com/usnistgov/oscal-cli/tree/develop we can see a different version mentioned in the readme but the same key ID.

DanielRuf avatar Oct 10 '25 18:10 DanielRuf