Official releases of Debian installation and live images come with
signed checksum files; look for them alongside the images in
the iso-cd, jigdo-dvd, iso-hybrid
etc. directories. These files allow you to check that the images you
download are correct. First of all, the checksum can be used to check
that the images have not been corrupted during download. Secondly, the
signatures on the checksum files allow you to confirm that the images
are the ones created and released by Debian, and have not been
tampered with.
To validate the contents of an image file, be sure to use the
appropriate checksum tool. Cryptographically strong checksum
algorithms (SHA256 and SHA512) are available for every releases; you
should use the matching tools
sha256sum or sha512sum to work with these.
To ensure that the checksums files themselves are correct, use an OpenPGP
implementation (such as GnuPG, Sequoia-PGP, PGPainless or GopenPGP) to
verify them against the accompanying signature files (e.g.
SHA512SUMS.sign). The keys used for these signatures are
all in the Debian OpenPGP keyring
and the best way to check them is to use that keyring to validate via
the web of trust. To make life easier for people who don't have ready
access to an existing Debian machine, here are details of the keys
that have been used to sign releases in recent years, and links to
download the public keys directly: