No, but Debian itself seems to be heading that way the last decade. I moved to Devuan when it became available for the machines that would otherwise run Debian. It's identical to Debian for the moment except for a refreshing absence of systemd. You can find more here:
www.devuan.org
About the verifying with a public OpenPGP key, I'll just say "key" now, that's poorly described for most any distro, as far as I know. Here's how you'd do it for Debian. First, start with a matched set of SHA512SUMS, SHA512SUMS.sign, and a disc image. If you don't have the key, the verification will produce an error and tell you the key type and fingerprint of the missing key:
Code:
$ gpg --verify SHA512SUMS.sign SHA512SUMS
gpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Can't check signature: No public key
The Debian web site should list the fingerprint, but it doesn't except for one place:
https://www.debian.org/CD/verify
Anyway, when I load that link, I see that one of the key fingerprints matches what SHA512SUMS.sign asks for. If you don't have the Debian keyring package already installed, then you'll have to bootstrap things and get the key manually from a key
server with that key, such as keyring.debian.org.
Code:
gpg --keyserver=keyring.debian.org --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
.
gpg --list-keys DF9B9Ce49EAA9298432589D76DA87E80D6294BE9B
gpg --fingerprint DF9B9C49EAA9298432589D76DA87E80D6294BE9B
The first line gets a key with that fingerprint (we'll skip a digression about collisions) and then the second line shows it in your local keyring. The third line shows the full finger print to compare again to the Debiean web site's example.
Then you can try verifying the SHA512SUMS file with the key present:
Code:
gpg --verify SHA512SUMS.sign SHA512SUMSgpg: Signature made Sat 14 Oct 2017 06:49:27 PM EEST
gpg: using RSA key DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B
See "web of trust" about the warning, but for now you've verified it as much as you can. Then use the SHA512SUMS file to check the disc image:
Code:
sha512sum --ignore-missing -c SHA512SUMS
And Bob's your uncle.