If you know how to verify the signatures properly, that would work. I'm thinking if you don't know that, and if you're willing to do what you just described, you probably don't really care about these CVEs anyway.

Can't you also just verify the sha256 from debian's site? I wrote a script here: https://gist.github.com/shuhaowu/286e6681d6faa473ebb0

sha256 doesn't provide any web-of-trust; if your download is compromised, the sha-sums that you download to verify them could also be compromised in the same way. If the crypto signatures are verified and your installed keyring is genuine (came from a genuine installation media), then you know that the packages you installed (and their signatures) actually came from the Debian project.

That being said, you can try verifying the sha256 and you might catch "them" that way if they didn't think of that.

Well I got the sha256 from the debian site, which is HTTPS secured, which I assume is uncompromised because of this vulnerability, correct? Or am I missing something here?

Yeah that makes sense to me. If you trust ssl. I usually assume that if some three-letter agency wants to hack my computers they are going to find a way and recent history has shown that SSL can be vulnerable too.

I think it's true that without certificate pinning (which you sound like you know about) the various government agencies may easily have people inside your certificate stores that can issue bogus certs. That we've never read of one of these attacks succeeding is further evidence that the conspiracy is working ;)

Yes, and this time it's less secure than just using apt-get.

Original trust is a problem with no possible solution inside a computer.

yeah, can be a pain to get the right dependancies in right order etc though. In this case probably easy enough

Yes, you can definitely do that.