I never used that a lot, but in the course of my (small ) participation in the GRML Bug Squashing party, I realized that, yes, it's a good security feature to give people a signed md5 sum to check if a downloaded iso - or any other type of file, is really originating from a person who owns a key you trust, and this person asserted the file is built from him.

But, how many steps do you need, and which commands, to check that?

Here's a one-liner to do it, assuming you have the file with the name FILE , and the signed mdsum in a file name FILE.md5.asc:

echo iso name?; read iso; gpg --verify $iso.md5.asc; md5sum -c $iso.md5.asc