I also note that nobody's signed the key to attest its validity on the keyservers. That's not necessarily required for rpms, but might be a good idea. When I get a chance to verify it with Devrim via a side channel I'll sign it and push my signature.