gpg verify can't find public key

[openprivacy]

Describe the bug

cli-core-1.0.1 does not appear to be signed with David's key

Who is the bug affecting?

Anyone installing cli-core-1.0.1

What is affected by this bug?

cli-core-1.0.1 verification

How do we replicate the issue?

$ wget -q https://repo1.maven.org/maven2/gov/nist/secauto/oscal/tools/oscal-cli/cli-core/1.0.1/cli-core-1.0.1-oscal-cli.zip

$ wget -q https://repo1.maven.org/maven2/gov/nist/secauto/oscal/tools/oscal-cli/cli-core/1.0.1/cli-core-1.0.1-oscal-cli.zip.asc

$ gpg --keyserver hkps://pgp.mit.edu:443 --recv-keys 0xE5C8BE7A12463927FDB562F9CAC75F72946C412C
gpg: key CAC75F72946C412C: public key "David Waltermire <david.waltermire@nist.gov>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --verify cli-core-1.0.1-oscal-cli.zip.asc
gpg: assuming signed data in 'cli-core-1.0.1-oscal-cli.zip'
gpg: Signature made Thu 17 Aug 2023 01:37:40 PM EDT
gpg:                using RSA key ED3228AA14A7C25DE351F9E761D9AEB515413C8C
gpg: Can't check signature: No public key

Expected behavior (i.e. solution)

Successful verification

Other Comments

Thank you for providing this tool

[update] cli-core-0.3.3 appears to be the last one with David's signature

[aj-stein-nist]

@openprivacy thanks so much for bringing this to my attention. I had not correctly drafted my own checklist for #99 back when I did so and forgot to, you know, prominently document the use of NIST OSCAL Release Engineering key (since David left the OSCAL project in January 2023), one of my first transition activities in taking over the repo was transitioning to a project-based key and not continuing the use of a personal key from a staff member who left the project.

On that note, I will be updating the README in a few moments to point to 0x6387e83b4828a504 for oscal@nist.gov's key, which you can also find by searching public keyservers, but I most certainly no why you want an official source of information beyond this issue comment. :-)