You will probably download the RHEL ISO image from within the Red Hat Customer Portal and therefore use an encrypted HTTPS connection (download URL is https://access.cdn.redhat.com/…). The SHA-256 checksums for the ISO images are on the download page.
Red Hat also provides a page with all GPG keys they use for signing their software packages. In Customer Portal, go to “Security” -> “Product Signing (GPG) Keys)” (https://www.redhat.com/security/team/key/)
There are download links for the public keys (https://www.redhat.com/…). The keys are also available on the keyserver pgp.mit.edu . So you can use the following command to import the main Red Hat key into your GPG keyring:
# gpg --recv-keys fd431d51 # gpg --fingerprint -k fd431d51
Compare the fingerprint of the Red Hat public key with the fingerprint on the Customer Portal website. You cannot use the GPG key for verifying the ISO files, but it is useful for e.g. verifying RPM package updates that you can download directly from Red Hat websites and that are not installed the usual way via an official yum repository.