On Tue, Feb 20, 2018 at 07:23:05PM +0200, mazocomp wrote: > Isn't the same true when I download file sets from any mirror?
No. > After all > I download SHA256.sig abd file sets from mirror, how can I trust it? You run a trusted signify binary, which was not obtained from the mirror but is part of your existing install, to check the signature on SHA256.sig. A signify binary inside installXX.iso can't be trusted to not lie about the integrity of contents of installXX.iso.