it does have PGP signatures! but since ISO is big (Ubuntu 18.04 is nearly 2 GB) they use SHA hashes and then sign the hashes with their PGP private key and release the signature of that file instead.
so what you do is that you first check the signature of the hashes to see if you have the correct hash list file and then hash the file itself to see the file is correct.

in other words it is a combination of authenticity and integrity with 2 steps.