~
For example, ubuntu iso hasn't any signiture, only checksum...
it does have PGP signatures! but since ISO is big (Ubuntu 18.04 is nearly 2 GB) they use SHA hashes and then sign the hashes with their PGP private key and release the signature of that file instead.
so what you do is that you first check the signature of the hashes to see if you have the correct hash list file and then hash the file itself to see the file is correct.
in other words it is a combination of authenticity and integrity with 2 steps.
For this you need to know fingerprint of signature. For example, I exactly know fingerprint for electrum files, because I watched a video with this fingerprint and Thomas V standing beside.
have you even checked Ubuntu before making these comments? you already have all that.
https://help.ubuntu.com/community/VerifyIsoHowto and their signatures have been in work since 2004 (15 years)
Moreover, you cannot verify google chrome file with signature, you cannot verify avast antivirus exe file with signiture, and most of known apps haven't got any signatures to verify them! And if they do have got such signatures, you cannot trust them without checking reality of their fingerprints. But how can you do it? You need to be sure that fingerprints are real!
they also have signatures but in a different more automatic way that is specific to Windows and is more like a certificate and it requires payment. and instead of using PGP it uses RSA which is another asymmetric cryptography scheme.
any other "most known app" that doesn't have that signature may not need it. for example you don't need to verify the signature of Adobe Photoshop because it is not security sensitive!
of course if you want to be paranoid, there is no end to how much your paranoia is going to go, as it was mentioned your only remaining option would be to only use open source softwares and compiling all of them from source on your own.