The gpg files in
http://releases.ubuntu.com/16.04.3/ do not contain any keys, rather, they are signatures made with keys. For example
$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Thu 03 Aug 2017 14:56:51 BST
gpg: using DSA key 46181433FBB75451
gpg: Can't check signature: No public key
gpg: Signature made Thu 03 Aug 2017 14:56:51 BST
gpg: using RSA key D94AA3F0EFE21092
gpg: Can't check signature: No public key
I can't check the signatures because I don't have the relevant keys in my keyring. If I download the keys:
$ gpg --recv-keys 46181433FBB75451 D94AA3F0EFE21092
then I can verify the signature:
$ gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Thu 03 Aug 2017 14:56:51 BST
gpg: using DSA key 46181433FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: C598 6B4F 1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
gpg: Signature made Thu 03 Aug 2017 14:56:51 BST
gpg: using RSA key D94AA3F0EFE21092
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092
That shows that the signatures are good, however it warns that I have not assigned any trust to the keys. To do that I would need to verify the fingerprints do correspond to the Ubuntu keys.
Once I am happy with the signature I would need to calculate the SHA1 checksum of the ISO and compare with the value in the SHA1SUMS file.