download the sums file and the corresponding ".sign" file, e.g.

SHA512SUMS
and
SHA512SUMS.sign

Then:

gpg --verify SHA512SUMS.sign

This will complain:

gpg: directory `/home/general/.gnupg' created
gpg: new configuration file `/home/general/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/general/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/general/.gnupg/pubring.gpg' created
gpg: Signature made Mon 28 Apr 2014 19:31:12 PDT using RSA key ID 6294BE9B
gpg: Can't check signature: public key not found


Use that key ID to get the key from the debian key server:

gpg --keyserver keyring.debian.org --recv-keys 6294BE9B

gpg: requesting key 6294BE9B from hkp server keyring.debian.org
gpg: /home/general/.gnupg/trustdb.gpg: trustdb created
gpg: key 6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)


Now you can verify the signature:

gpg --verify SHA512SUMS.sign 
gpg: Signature made Mon 28 Apr 2014 19:31:12 PDT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

Now go to https://www.debian.org/CD/verify and check that that fingerprint is there.


Now verify the checksums:

sha512sum -c SHA512SUMS


If that returns "OK" for the file you downloaded, it is a good file.