For me, it’s not enough to verify the integrity of an ISO – I also have to verify its authenticity (or at least verify the checksum file) with GPG. I don’t know why, but just need to see that “Good signature” message before I feel safe installing Linux.
I notice, though, that the download pages of some prominent distros (Pop_OS!, openSUSE, etc) just give you a checksum, probably because they feel that anything else is unnecessary. This makes me shy away from installing them, which is a shame because I’d like to give some of those distros a try on bare metal.
Am I being paranoid when it comes to installing Linux?
(My opinion) No, you aren’t paranoid. I’m thinking a bit like you, but I also consider probabilities. You need to download the checksums from the official website and the ISO from mirrors. Two different sources would need to be hacked. This is where I say, it’s hard and secondly someone would notice that hack very quickly.
Signing the ISO or the checksums with a well-known signature is still important. I verify it, if a signature available. It’s just a couple of seconds and doesn’t cost anything.
Oh, that’s a good work-around. Thank you.