I know this a similare question was already asked in 2016 but I feel that the answer is quite insufficient:
Secure download link (HTTPS) for Ubuntu desktop
There should be very clear path to securely acquire ubuntu instead of the now default of downloading it from http source.
Even MD5 checksums for the images are only accessible through http. Torrent link, same problem.
Maybe I am missing something, but it really looks like there is no way of getting a proper ubuntu copy securely.
Even with https mirrors, without a secure way of getting the MD5 from canonical, how can we trust that the image has not been tampered with?
Best Answer
Current Ubuntu images come with MD5 and SHA256 checksums. The checksum files are GPG signed with an Ubuntu public key. The public key is obtained verifiably from the Ubuntu keyserver. Easy-to-follow instructions are in How to verify your Ubuntu download.
To add to this, the binary images are signed by the Canonical Master CA, which has a chain of trust to a certificate in your machine's TPM, and will not run if tampered with and you run under SecureBoot.
Short of hopping on your bike and having the people at Ubuntu burn a fresh image while you watch them, I think this really is as good as it gets.