When you download an image, be sure to download the SHA256SUMS and SHA256SUMS.gpg files that are next to the downloaded image (i.e. in the same directory on the Kali Linux Download Server). Before verifying the checksums of the image, you must ensure that the SHA256SUMS file is the one generated by Kali. That’s why the file is signed by Kali’s official key with a detached signature in SHA256SUMS.gpg. Kali’s official key can be downloaded like so: