---------- Forwarded message ---------
From: Andy Doucette <andy.doucette@???>
Date: Wed, Feb 19, 2025 at 7:07 PM
Subject: SHA256SUMS.txt.asc signed by a key not in
https://devuan.org/os/team
To: <submit@???>
Cc: <rrq@???>


I'm trying Devuan for the first time.

I downloaded the following files:
https://mirror.leaseweb.com/devuan/devuan_daedalus/installer-iso/SHA256SUMS.txt
https://mirror.leaseweb.com/devuan/devuan_daedalus/installer-iso/SHA256SUMS.txt.asc

I ran this command:
$ gpg --no-default-keyring --keyring ./devuan-devs.gpg --verif
y SHA256SUMS.txt.asc
gpg: assuming signed data in 'SHA256SUMS.txt'
gpg: Signature made Thu Sep 14 18:43:27 2023 PST
gpg:                using RSA key 619933B4CD8A97408A3C47E2680B5A1F661ECDBC
gpg: Good signature from "Ralph Ronnquist <rrq@???>" [unknown]
gpg:                 aka "[jpeg image of size 3650]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 6199 33B4 CD8A 9740 8A3C  47E2 680B 5A1F 661E CDBC

I searched for "6199" on the Team Page <https://www.devuan.org/os/team> and
it does not exist there. Ralph is there, but with a different key.

Is there a supply chain attack going on, or did someone forget to update
the Team Page?

I checked, and at least 5 mirrors have the same issue.

I'm a bit scared to use the image now, since it's not technically trusted.

Andy