If you have an existing Ubuntu system you trust, you can verify the authenticity of this release via:

  $ gpg --no-default-keyring --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --verify SHA256SUMS{.gpg,}
  gpg: Signature made Thu 21 Apr 2016 10:40:38 UTC using DSA key ID FBB75451
  gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: C598 6B4F 1257 FFA8 6632  CBA7 4618 1433 FBB7 5451
  gpg: Signature made Thu 21 Apr 2016 10:40:38 UTC using RSA key ID EFE21092
  gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: 8439 38DF 228D 22F7 B374  2BC0 D94A A3F0 EFE2 1092

  $ sha256sum --ignore-missing -c SHA256SUMS
  ubuntu-16.04-desktop-amd64.iso: OK

(You can ignore the `WARNING`s above, since you're explicitly telling `gpg` to use a keyring you trust)