It's paramount to verify your install media before installing - man in the middle attacks (even over the public Internet) can happen and can result in your install media being compromised.
As a second source for verification, the Qubes master signing key is
pub 4096R/36879494 2010-04-01 Key fingerprint = 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 uid Qubes Master Signing Key
See the qubes documentation on verifying signatures here for a step by step guide. That guide is slightly dated, and things like GPG output has slightly changed over time.
Create a new Qube
Launch a new disposable Qube. This tutorial is using a Debian Stretch disposable qube. A disposable Qube is best as it is the 'cleanest'.
Download the signing key
gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
With expected output
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc' gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported gpg: Total number processed: 1 gpg: imported: 1
Verify the signing key
gpg --edit-key 0x36879494
With expected output
gpg --edit-key 0x36879494 gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa4096/DDFA1A3E36879494 created: 2010-04-01 expires: never usage: SC trust: unknown validity: unknown [ unknown] (1). Qubes Master Signing Key gpg> fpr pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494 gpg> trust pub rsa4096/DDFA1A3E36879494 created: 2010-04-01 expires: never usage: SC trust: unknown validity: unknown [ unknown] (1). Qubes Master Signing Key Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub rsa4096/DDFA1A3E36879494 created: 2010-04-01 expires: never usage: SC trust: ultimate validity: unknown [ unknown] (1). Qubes Master Signing Key Please note that the shown key validity is not necessarily correct unless you restart the program. gpg> q
Pull down the qubes 4 signing key
gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-release-4-signing-key.asc' gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported gpg: Total number processed: 1 gpg: imported: 1
Verify the ISO
gpg -v --verify Qubes-R4.0.1-rc1-x86_64.iso.asc Qubes-R4.0.1-rc1-x86_64.iso
with expected output
gpg: Signature made Sun 04 Nov 2018 12:30:48 PM UTC gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9 gpg: using pgp trust model gpg: checking the trustdb gpg: 1 key processed (0 validity counts cleared) gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u gpg: Good signature from "Qubes OS Release 4 Signing Key" [full] gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
If you see
gpg: Good signature from "Qubes OS Release 4 Signing Key" [full]
Then the signature is good.