*3. Could a malicious attacker that feeds me an altered iso image not
also feed me an altered SHA256SUMS file? Yes, they could! Http is very
easy to intercept. This is where SHA256SUMS.sign comes in. This file
is the pgp signature of the ***SHA256SUMS file. It is signed with the
Debian CD signing key which can be obtained from
hkp://keyring.debian.org/ <http://keyring.debian.org/>.* The transport
from the keyserver is *not *secured, and the only way to verify you
have not been fed a bogus key is through the web of trust
<https://secure.wikimedia.org/wikipedia/en/wiki/Web_of_trust> if you
are connected to enough people to make a path to the Debian CD signing
key.
*
*What should I do if I am not connected through the web of trust?
There is no easy answer to this.*