There are several different steps, all of which are covered in the docs. In broad strokes, one step is to make sure you have the genuine QMSK (which in turn allows you to ensure you have a genuine RSK and a genuine ISO hash), while the other is to make sure that the installation medium you use has a genuine Qubes ISO (which you accomplish using the aforementioned RSK and hash).
Both can be handled in similar ways. You can download the QMSK or its fingerprint from many different computers (e.g., friend’s, library’s, work’s, internet cafe’s) over many different internet connections (e.g., Tor, VPN, public Wi-Fi, friend’s place, work). If you get the same QMSK/fingerprint everywhere, then your adversary would’ve had to somehow compromise all of those different computers and/or networks in order to feed you the same forged key/fingerprint everywhere. The more different channels, the less likely that this is what happened, and the costlier such an attack would be.
As for the installation medium, you can copy the authenticated ISO onto a physically write-protected USB drive with signed and/or non-reflashable firmware, flip the write-protect switch, then re-verify the hash or PGP signature of that ISO on the drive on many different computers (e.g., friend’s, library’s, work’s, internet cafe’s). Again, the idea is that your adversary would have to compromise all those other devices in order to make it appear that his forged ISO was successfully re-verified on every device.
For example, when you hash your USB drive’s data on a computer at the library, it will output some hash value. You can then compare that hash value to the one you know is genuine, which you wrote down earlier. If your ISO were compromised, then your adversary would have to make that computer show you a different hash than the actual hash of the data on your USB drive. But in order to do that, he would have to compromise that computer. If you check on every computer at the library, then your adversary has to compromise every computer at the library, or else you will eventually get a different result. Likewise if you repeat the process at work, at your friend’s house, at a random internet cafe, and so on. The cost for your adversary goes up the more you do this. At some point (probably much earlier than described here), it becomes sufficiently far-fetched that any adversary could’ve compromised all these different computers and networks that you accept that the ISO on your USB drive is likely enough to be genuine for you to feel comfortable proceeding.