How do I verify https://files.devuan.org/devuan-devs.gpg

I am running Devuan Jessie. I want to install another Devuan Ascii from scratch. So I downloaded: - https://files.devuan.org/devuan_ascii/installer-iso/devuan_ascii_2.0.0_amd64_netinst.iso - https://files.devuan.org/devuan_ascii/installer-iso/SHA256SUMS - https://files.devuan.org/devuan_ascii/installer-iso/SHA256SUMS.asc - https://files.devuan.org/devuan_ascii/devuan-devs.gpg - Update: it is now available at https://files.devuan.org/devuan-devs.gpg But I found no way to authenticate devuan-devs.gpg. Other distros like Debian or Ubuntu or similar [allow me to verify the ISO](https://github.com/hilbix/download-debian) from an existing previous version. But for Devuan, I did not find any way: tino@ts:~/ISO/devuan_ascii-2.0.0$ gpg --verify SHA256SUMS.asc gpg: assuming signed data in `SHA256SUMS' gpg: Signature made Wed 06 Jun 2018 08:55:55 PM CEST using DSA key ID 0B5F062F gpg: Can't check signature: public key not found tino@ts:~/ISO/devuan_ascii-2.0.0$ gpg --no-default-keyring --keyring /usr/share/keyrings/devuan-archive-keyring.gpg --verify SHA256SUMS.asc gpg: assuming signed data in `SHA256SUMS' gpg: Signature made Wed 06 Jun 2018 08:55:55 PM CEST using DSA key ID 0B5F062F gpg: Can't check signature: public key not found tino@ts:~/ISO/devuan_ascii-2.0.0$ gpg --no-default-keyring --keyring /usr/share/keyrings/devuan-keyring.gpg --verify SHA256SUMS.asc gpg: assuming signed data in `SHA256SUMS' gpg: Signature made Wed 06 Jun 2018 08:55:55 PM CEST using DSA key ID 0B5F062F gpg: Can't check signature: public key not found tino@ts:~/ISO/devuan_ascii-2.0.0$ gpg --keyring ../devuan-devs.gpg --verify SHA256SUMS.asc gpg: assuming signed data in `SHA256SUMS' gpg: Signature made Wed 06 Jun 2018 08:55:55 PM CEST using DSA key ID 0B5F062F gpg: Good signature from "Vincenzo (KatolaZ) Nicosia " gpg: aka "Vincenzo Nicosia (KatolaZ) " gpg: aka "Vincenzo Nicosia (KatolaZ) " gpg: aka "KatolaZ " gpg: aka "Enzo Nicosia " gpg: aka "Enzo Nicosia -- KatolaZ " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8E59 D6AA 445E FDB4 A153 3D5A 5F20 B3AE 0B5F 062F As the "key is not certified", there is no indication that the key is not fake. **How can this broken trust chain be fixed?** https://devuan.org/os/documentation/dev1fanboy/general-information does not solve this riddle either. Notes: devuan-devs.gpg probably is not fake. However this assumption does not help. There must be some way to ensure, it is not fake. The initial Hen-Egg problem is already solved, as Devuan (Jessie) already runs at my side. There certainly is some better way to authenticate Ascii's ISO than to upgrade Jessie to Ascii. Right?