Hi list,

I wanted to verify the checksum of the netinst installer and noticed the
following:

- the URL mentioned in the README.txt[1] to get rrq's GPG key gives

     olaf@quark:~$ curl "https://pgp.pm/pks/lookup?op=get&search=0x70285BA5CF280BA4"
     curl: (51) SSL: no alternative certificate subject name matches target host name 'pgp.pm'

That doesn't look very reassuring if you ask me. I suggest this URL
gets replaced with one for which the TLS certificate is valid.
FWIW, I eventually fetched rrq's GPG key with

     olaf@quark:~$ gpg --keyserver hkps://pgpkeys.eu --recv-keys 70285BA5CF280BA4

and the following URL worked fine for me too

     https://pgpkeys.eu/pks/lookup?op=get&search=0x70285BA5CF280BA4

    [1]: https://files.devuan.org/devuan_ascii/installer-iso/README.txt

- I expected the SHA256SUMS.asc[2] file to be a detached signature so
downloaded SHA256SUMS[3] as well and when I checked I got a slightly
surprising result:

     olaf@quark:~$ gpg --verify SHA256SUMS.asc SHA256SUMS
     gpg: not a detached signature

This was more promising

     olaf@quark:~$ $ gpg --verify SHA256SUMS.asc
     gpg: Signature made Thu Nov 21 19:55:37 2019 JST
     gpg:                using RSA key E93D7167A4F5FA9E9FED497770285BA5CF280BA4
     gpg: Can't check signature: No public key

But then when I pass the devuan-devs.gpg keyring, I get

     olaf@quark:~$ gpg --keyring $PWD/devuan-devs.gpg --verify SHA256SUMS.asc
     gpg: Signature made Thu Nov 21 19:55:37 2019 JST
     gpg:                using RSA key E93D7167A4F5FA9E9FED497770285BA5CF280BA4
     gpg: Good signature from "Ralph Ronnquist (rrq) <ralph.ronnquist@???>" [unknown]
     gpg: WARNING: This key is not certified with a trusted signature!
     gpg:          There is no indication that the signature belongs to the owner.
     Primary key fingerprint: E93D 7167 A4F5 FA9E 9FED  4977 7028 5BA5 CF28 0BA4
     gpg: WARNING: not a detached signature; file 'SHA256SUMS' was NOT verified!

That final warning goes away when I remove the SHA256SUMS file.

Perhaps some instructions on verification of signatures and checksums
are in order? Even just a link to a place where this information can
be found would be nice.
FWIW, I used the following for my amd64 netinst installer

     olaf@quark:~ grep amd64_netinst SHA256SUMS.asc | sha256sum -c -
     devuan_ascii_2.1_amd64_netinst.iso: OK

    [2]:https://files.devuan.org/devuan_ascii/installer-iso/SHA256SUMS.asc
    [3]:https://files.devuan.org/devuan_ascii/installer-iso/SHA256SUMS

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join