By design only released versions will be signed by the GPG key to verify their authenticity. In order to also prevent transmission error on the Wire or your/our storage SHA256 hashes are calculated during the build process and published together with the ISO image.
Now that the sha256 hash is available, the `add system image` command should also fetch the hash and verify it before installing the ISO image - If there is no hash we will keep installing the image and just ignore it.