it does have PGP signatures! but since ISO is big (Ubuntu 18.04 is nearly 2 GB) they use SHA hashes and then sign the hashes with their PGP private key and release the signature of that file instead.
so what you do is that you first check the signature of the hashes to see if you have the correct hash list file and then hash the file itself to see the file is correct.
in other words it is a combination of authenticity and integrity with 2 steps.
For this you need to know fingerprint of signature. For example, I exactly know fingerprint for electrum files, because I watched a video with this fingerprint and Thomas V standing beside.
To be fair, why do you trust the video you've seen? There's probability the video is edited.
The reality 100% trustless environment is impossible and you're forced to trust someone at some point.