Hello, and thank you very much for your work.
I have just discovered something strange and worrying about some of the Devuan 6.1 files that I downloaded via the official magnet link.
Regarding the desktop-live/ and minimal-live/ directories, everything is OK, because the command
gpg --verify .iso.sha256.asc .iso.sha256 returns:
gpg: Signature made Sat Jan 3 01:09:42 2026 CET gpg: using RSA key 67F5013216271E85C251E480A73823D3094C5620 gpg: Good signature from "fsmithred (aka fsr) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 67F5 0132 1627 1E85 C251 E480 A738 23D3 094C 5620This result is normal and confirms the authenticity of the .sha256 file in relation to Devuan's official public GPG key, which I imported into my keyring from the official file https://files.devuan.org/devuan-devs.gpg, without assigning it a specific trust level.
BUT, in the installer-iso/ directory:
user@devuan:~$ gpg --verify SHA256SUMS.txt.asc SHA256SUMS.txt gpg: Signature made Thu Dec 25 19:41:10 2025 CET gpg: using RSA key 185E56E98DA03B6CEADAC81983161D4768BE620B gpg: issuer "dev1@tempforever.com" gpg: Can't check signature: No public key→ This RSA fingerprint does not match any key in my GPG keyring, even though I imported the contents of the official file https://files.devuan.org/devuan-devs.gpg!
The gpg --verify result is the same when I download these two files, SHA256SUMS.txt.asc and SHA256SUMS.txt, via HTTP from an official mirror.
I see two possibilities:
- Either the official file https://files.devuan.org/devuan-devs.gpg is incomplete
- Or the files in the installer-iso/ directory have been tampered with by an unauthorized person (outside the Devuan team project)
- Regarding the address dev1@tempforever.com, DuckDuckGo returns a list of temporary email address providers, and nothing for “tempforever.com.”
- The tempforever.com website cannot be reached via HTTP because its Apache 2.4.65 server running Debian (IP: 167.88.38.250) located in Boston, USA, is not configured (according to https://sitecheck.sucuri.net/).
- A whois query indicates that the tempforever.com domain was created on March 30, 2021. A few months later, on December 26, 2021, a snapshot of the site's home page was saved on the Internet Archive (https://web.archive.org/web/20211226174 … rever.com/), which redirects to an April 15, 2022 archive of splittheirears.com
I work with Devuan 5 every day and I need to have confidence in the entire Devuan infrastructure in order to continue with Devuan 6.
Am I missing something? Or is this a real problem?
Source: https://dev1galaxy.org/viewtopic.php?id=7719&action=new