Redownload. Check again. I'm on satellite internet with the horrible latencies and frequent timeouts associated with that tech, I recently had the netinstall image for Debian fail integrity checking three times in a row, from the http mirrors. Guy from the link said it himself, download via torrent and all is well.
Generally, being on such terrible interwebs I get angry whenever I hear people claim torrents are only for piracy. We all know they're wrong, but my legal torrent use has really never been more intense. Rsync's ability for aggressive retrying is also blessed :)
Yea that's one thing I really love about torrents. Because of the giant set of hashes they use, it makes it really great to verify integrity of the download. You've got a hash for each block (128k by default) and for the overall download, along with the complete size of the file.
Depends on the seed creation software, Tixati defaults to 256k for instance, kind-of: it's the default value of the box, but a new default is recomputed based on the amount of data included in the torrent. If I try to seed my local install of Bastion (920MB) it picks 1MB, Atom Zombie Smasher (25MB) yields 64kB, and Shadowrun Hong Kong (9GB) picks 4MB.
The first step is to detect the wrong signature. The next step is to compare the files to see whether truncation, bitswap etc. happened or whether the manipulation went deeper. Or for the more paranoid people: See what dangerous attack code can be introduced into the software by such an innocent-looking manipulation and whether the modification that happened did introduce such an exploit or not.
You can those questions in the reply thread (Is it the right file size? Can you mount it?)
This will only be interesting if it isn't just a corrupted image. If it isn't a corrupt image, I hope there a follow-up with a diff-tree between the two.
For reference, here's a check of the torrent with the .torrent file I snagged from https://www.qubes-os.org/downloads/ last night. Master signing key checked against the fingerprint published on the mailing list in 2013. Looks legit.
Qubes-R3.2-x86_64 moi$ gpg --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
gpg: Signature made Tue Sep 20 18:33:37 2016 BST using RSA key ID 03FA5082
gpg: Good signature from "Qubes OS Release 3 Signing Key" [full]
For reference II - downloaded the .iso. Despite a usually robust connection the download was interrupted three times. I have no idea whether this signifies anything. Curl resumed where it left off and in the end...
Qubes-R3.2-x86_64 moi$ gpg --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso_WEBDL
gpg: Signature made Tue Sep 20 18:33:37 2016 BST using RSA key ID 03FA5082
gpg: Good signature from "Qubes OS Release 3 Signing Key" [full]
Of course (skipping merrily off into tinfoil-hat-land) that doesn't eliminate the possibility that the OP's download had been MITM-ed. However this would have to be by someone who:
1) Controls part of the network infrastructure between them and mirrors.kernel.org (i.e. routers, cables or DNS)
2) Can fake a TLS certificate for mirrors.kernel.org
So, corrupted download or a targeted MITM attack by a state-level actor? Who the hell knows anymore.
Generally, being on such terrible interwebs I get angry whenever I hear people claim torrents are only for piracy. We all know they're wrong, but my legal torrent use has really never been more intense. Rsync's ability for aggressive retrying is also blessed :)