When you download an image, be sure to download the SHA256SUMS and SHA256SUMS.gpg files that are next to the downloaded image (i.e. in the same directory on the Kali Linux Download Server). Before verifying the checksums of the image, you must ensure that the SHA256SUMS file is the one generated by Kali. That’s why the file is signed by Kali’s official key with a detached signature in SHA256SUMS.gpg. Kali’s official key can be downloaded like so:

$ wget -q -O - https://archive.kali.org/archive-key.asc | gpg --import
# or...
$ gpg --keyserver hkps://keyserver.ubuntu.com --recv-key 827C8569F2518CC677FECA1AED65462EC8D5E4C5
# ...and verify that the displayed fingerprint matches the one below
$ gpg --fingerprint 827C8569F2518CC677FECA1AED65462EC8D5E4C5
pub   rsa4096 2025-04-17 [SC] [expires: 2028-04-17]
      827C 8569 F251 8CC6 77FE  CA1A ED65 462E C8D5 E4C5
uid           [ unknown] Kali Linux Archive Automatic Signing Key (2025) 

Once you have downloaded both SHA256SUMS and SHA256SUMS.gpg, you can verify the signature as follows:

$ wget -q https://cdimage.kali.org/current/SHA256SUMS{.gpg,}
$ gpg --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Sun 20 Apr 2025 16:00:00 GMT
gpg:                using RSA key 827C8569F2518CC677FECA1AED65462EC8D5E4C5
gpg: Good signature from "Kali Linux Archive Automatic Signing Key (2025) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

If you don’t get that “Good signature” message or if the key ID doesn’t match, then you should stop the process and review whether you downloaded the images from a legitimate Kali mirror.