If you want real integrity + provenance, you need a GPG-signed ISO and a public key obtained independently (or at least via HTTPS). Hashes alone aren’t a security measure; HTTPS + signatures are the modern minimum.