You would have to really trust the bitcoin specific live cd's because they could be comprimised already.
The developer's pubic key has a massive web of trust and signed by well known devs.
You then make the decision to add the public key to your chain.
Check again if find the keys fingerprint all over the net.
Don't be an idiot and sign any pubic keys unless you yourself know the owner and got it face to face. For your own keychain trust models be pessimistic.
gpg --verify xxxxx.iso.asc xxxxx.iso
Make sure you see "good signature"
This is a good start.
GPG/PGP key ID: 0x2B4B58FE
gpg --keyserver pgp.mit.edu --recv-keys 0x2B4B58FE