There's a step-by-step tutorial on it: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#0
if you don't know how that works, then the only way, if you intend to use it - is to learn it.
There's no "simple" way for this because this is not simple on how this works and how it provides correct results (unless you're good with algorithms). Sorry.
There's no official iso mdsums organization that keeps track of all the images out there so there's no official way of doing that. You can however use the tools and check it against what Ubuntu shares with you on their official servers. I.e for latests Ubuntu http://releases.ubuntu.com/cosmic/
there are multiple files:
which can be checked against with as much as:
ubuntu-18.10-desktop-amd64.iso is of course the iso in question. compare the command output with those pages and you'll know if it's genuine.
EDIT: I thought I'll answer all OP questions because they produced some questions and notes in the comment and concerns raised there:
Is there a way for a casual user to verify the authenticity of a downloaded Ubuntu .ISO?
there is, I answered that in my main answer
How would I go about verifying I'm not getting MITM'd and rootkit-level pwnd by a 16 y.o.?
the only simple way I know (without using browser to download SSL certificate) is to confirm your network / dns responds with the same IP as some other DNS you're not using and which you trust, i.e openDNS or google ones:
dig releases.ubuntu.com dig @18.104.22.168 releases.ubuntu.com dig @22.214.171.124 releases.ubuntu.com All of them should render the same results. For rootkit, the only way is to check ISO against checksums, which I already described.
So, is there a practical way for the casual/intermediate user to check the integrity of Ubuntu software prior to installing it, or are we wasting thousands upon thousands of man-hours to write secure code only to serve it insecurely?
This question ignores the fact that: - GPG keys can be fetched securely via
gpg --keyid-format long --keyserver hkps://keyserver.ubuntu.com --recv-keys 0x46181433FBB75451 0xD94AA3F0EFE21092 - there's a very important note on: https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#2 Which OP seems to ignore (while saying he read that before):
Note - some people question that if the site they are downloading from is not secure (many archive mirrors do not use SSL), how can they trust the signatures? The gpg fingerprint is checked against the Ubuntu keyserver, so if the signature matches, you know it is authentic no matter where/how it was downloaded! HOW GPG works under the hood, exceeds the knowledge of casual user, but you can trust this is secure. If you do not trust, please read how GPG works. I can assure you it was checked against attacks multiple times ;)
What I also explained in my edit is authenticity of the server CAN be checked against (check my answer on
dig above). However, this exceeds the knowledge of casual user (ask your internet browsing parents about MITM, you'll know) so It raised my eyebrow when OP brings this to the table along with
casual user phrase.
While http://releases.ubuntu.com/ IS not using HTTPS, you can check against MITM with dig. If all matches, you're safe, because only Canonical holds the control over *.ubuntu.com subdomains
I hope there's no questions anymore, but if they are, please add new askubuntu.com question and just add a link to this thread in it. I'll be happy to answer.