Download SHA256SUMS.txt and SHA256SUMS.txt.asc
and iso(s) to the same directory.


CONFIRM A SUCCESSFUL DOWNLOAD

Verify the checksum(s)
$ sha256sum -c SHA256SUMS.txt


VERIFY THE GPG SIGNATURE

Download SHA256SUMS.txt and SHA256SUMS.txt.asc
and iso(s) to the same directory.

Get my key if you don't already have it.
$ gpg --keyserver keyserver.ubuntu.com --recv-keys 094c5620


Verify the signature file:
$ gpg --verify SHA256SUMS.txt.asc 
gpg: assuming signed data in 'SHA256SUMS.txt'
gpg: Signature made Tue 31 Dec 2019 06:22:14 AM EST
gpg:                using RSA key A73823D3094C5620
gpg: Good signature from "fsmithred (aka fsr) <fsmithred@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 67F5 0132 1627 1E85 C251  E480 A738 23D3 094C 5620

The warning occurs because my key is not in the web of trust of the user who ran this. (It's an account I use for testing.) When I run it from my real account, the output ends with the Good signature line, because this key is signed by a key that I trust. 

Note: If you normally use a different method for verifying official Devuan isos, you can do it that way. I use the same key for both.

Note 2: If you get a message saying that my key is EXPIRED then you need to refresh your keys (or at least my key).

gpg --refresh-keys 094c5620


This is current:
$ gpg --list-keys 094c5620
pub   rsa4096 2017-10-07 [SC] [expires: 2021-09-20]
      67F5013216271E85C251E480A73823D3094C5620
uid           [ultimate] fsmithred (aka fsr) <fsmithred@gmail.com>