i want to add, that pgp verifying it is not strictly necessary. Obviously it is recommended. However some users just resort to checking the hash sum, or just trust HTTPS to secure their download.
Then search for the Qubes master key fingerprint online. Compare that fingerprint and make sure whats in your shell matches what you see in your search.
You should see the Release 4 key in “uid” and nested under it the Master key. The Master key line must begin with “sig!” including the exclamation mark! If the exclamation is not present then the key is bad.
Verify the iso file: gpg --verify Qubes-R4.1.1-x86_64.iso.asc Qubes-R4.1.1-x86_64.iso
Wait … Message "Good signature from “Qubes OS Release 4 Signing Key”
gpg: using RSA key 5817A43B283DE5A9181A522E1848792F9E2795E9
gpg: Good signature from "Qubes OS Release 4 Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5817 A43B 283D E5A9 181A 522E 1848 792F 9E27
95E9