The downloaded copy of the operating system must also have its digital signature verified before installation on a new host or virtual machine. To learn more read Verifying digital signatures.
To download and verify the digital signature of the most recent version of Debian Linux:
a) Go to https://cdimage.debian.org/debian-cd/current/$ARCH/iso-dvd/
b) Download to the same directory the files
debian-$VERSION-$ARCH-DVD-1.iso (the first DVD image is enough for the usual installation),
$ARCH may be, among other options, ‘amd64’ or ‘i386’.
c) Verify the digital signature:
$ gpg --verify SHA256SUMS.sign
GPG output shows that the developer’s public key was automatically imported:
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <email@example.com>" imported
d) Look in the gpg output for:
gpg: Good signature from "Debian CD signing key <firstname.lastname@example.org>