For example, ubuntu iso hasn't any signiture, only checksum...
it does have PGP signatures! but since ISO is big (Ubuntu 18.04 is nearly 2 GB) they use SHA hashes and then sign the hashes with their PGP private key and release the signature of that file instead.
so what you do is that you first check the signature of the hashes to see if you have the correct hash list file and then hash the file itself to see the file is correct.
in other words it is a combination of authenticity and integrity with 2 steps.
have you even checked Ubuntu before making these comments? you already have all that. https://help.ubuntu.com/community/VerifyIsoHowto and their signatures have been in work since 2004 (15 years)
any other "most known app" that doesn't have that signature may not need it. for example you don't need to verify the signature of Adobe Photoshop because it is not security sensitive!
of course if you want to be paranoid, there is no end to how much your paranoia is going to go, as it was mentioned your only remaining option would be to only use open source softwares and compiling all of them from source on your own.