Download SHA256SUMS.txt and SHA256SUMS.txt.asc and iso(s) to the same directory. CONFIRM A SUCCESSFUL DOWNLOAD Verify the checksum(s) $ sha256sum -c SHA256SUMS.txt VERIFY THE GPG SIGNATURE Download SHA256SUMS.txt and SHA256SUMS.txt.asc and iso(s) to the same directory. Get my key if you don't already have it. $ gpg --keyserver keyserver.ubuntu.com --recv-keys 094c5620 Verify the signature file: $ gpg --verify SHA256SUMS.txt.asc gpg: assuming signed data in 'SHA256SUMS.txt' gpg: Signature made Tue 31 Dec 2019 06:22:14 AM EST gpg: using RSA key A73823D3094C5620 gpg: Good signature from "fsmithred (aka fsr) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 67F5 0132 1627 1E85 C251 E480 A738 23D3 094C 5620 The warning occurs because my key is not in the web of trust of the user who ran this. (It's an account I use for testing.) When I run it from my real account, the output ends with the Good signature line, because this key is signed by a key that I trust. Note: If you normally use a different method for verifying official Devuan isos, you can do it that way. I use the same key for both. Note 2: If you get a message saying that my key is EXPIRED then you need to refresh your keys (or at least my key). gpg --refresh-keys 094c5620 This is current: $ gpg --list-keys 094c5620 pub rsa4096 2017-10-07 [SC] [expires: 2021-09-20] 67F5013216271E85C251E480A73823D3094C5620 uid [ultimate] fsmithred (aka fsr)