Installer image signed with the wrong key
I downloaded the Devuan installer both as a torrent (info hash: 9B0FA597AB8BDD89A57434876947DBE378A79AAD) and from files.devuan.org. Verification of SHA256SUMS.asc fails, because it is signed with 73B35DA54ACB7D10, but the Devuan signing key is 94532124541922FB. I downloaded everything over HTTPS, so I don't think MitM tampering is possible. (Torrent clients also verify the data, as long as the info hash is right.)
I found the key used for signing here: https://www.reddit.com/r/KeybaseProofs/comments/2t195h/my_keybase_proof_redditjaromil_keybasejaromil/
I'm inclined to believe this key was used accidentally, because an attacker linking to their keybase account is an exceptionally bad idea.