All the available guides I’m aware of for how to verify Ubuntu (or Ubuntu flavor) ISOs with GPG signature all explain how to obtain the GPG key from a key server. But if you already have an existing *buntu system that you trust, that step is unnecessary since you already have the necessary GPG key available on that system.
Here is a shell script that uses the already-available Ubuntu cdimage GPG key to check the GPG signature of a *buntu ISO SHA256SUMS file. Place the SHA256SUMS file and the corresponding SHA256SUMS.gpg file in the same directory, then run this script with the SHA256SUMS file as the first/only command-line argument:
#!/bin/bash
sha256sums="$1"
gpg --no-default-keyring --no-auto-check-trustdb --trust-model=always \
--keyid-format long \
--keyring=/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg \
--verify "${sha256sums}.gpg" "$sha256sums"
x="$?"
if [[ x"$x" = x'0' ]];then
echo -e '\033[0;32mSHA256sums OK\033[0m'
else
echo -e '\033[1;91mSHA256sums Not Verified!\033[0m'
exit $x
fi