The Devuan signing key 94532124541922FB is used to sign packages. The SHA256SUMS.asc file is signed with Jaromil's key 73B35DA54ACB7D10:

[alessandro@wkstn04 ~]$ LANG=C gpg --keyserver "$KEYSERVER" --recv-key 4ACB7D10
gpg: requesting key 4ACB7D10 from hkp server pgp.key-server.io
gpg: key 4ACB7D10: public key "Denis Roio (Jaromil) <jaromil@dyne.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
[alessandro@wkstn04 ~]$ LANG=C gpg --verify ~/Scaricati/Devuan/devuan_jessie_beta/SHA256SUMS.asc
gpg: assuming signed data in `/home/alessandro/Scaricati/Devuan/devuan_jessie_beta/SHA256SUMS'
gpg: Signature made Fri Apr 29 11:10:22 2016 CEST using RSA key ID 4ACB7D10
gpg: Good signature from "Denis Roio (Jaromil) <jaromil@dyne.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6113 D89C A825 C5CE DD02  C872 73B3 5DA5 4ACB 7D10
[alessandro@wkstn04 ~]$ 

Please, answer with a new message instead of editing your original one.
I do not think there was any error: package signing must have it's own, distinct key that is used solely to that purpose (and the package signing process is likely automatically performed upon package upload). Everything else must be signed with different keys, for a least one good reason: should the package signing key be compromised, there must be other trusted keys, already known to the public, that assure people that every communication and remedy concerning the package key breach is from the real site administrators and distribution managers.
I do not get the meaning of your last line of comment:

I'm inclined to believe this key was used accidentally, because an attacker linking to their keybase account is an exceptionally bad idea.

Please elaborate on that.