[mocko]

For reference, here's a check of the torrent with the .torrent file I snagged from https://www.qubes-os.org/downloads/ last night. Master signing key checked against the fingerprint published on the mailing list in 2013. Looks legit.

  Qubes-R3.2-x86_64 moi$ gpg --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso
  gpg: Signature made Tue Sep 20 18:33:37 2016 BST using RSA key ID 03FA5082
  gpg: Good signature from "Qubes OS Release 3 Signing Key" [full]

[mocko]

For reference II - downloaded the .iso. Despite a usually robust connection the download was interrupted three times. I have no idea whether this signifies anything. Curl resumed where it left off and in the end...

  Qubes-R3.2-x86_64 moi$ gpg --verify Qubes-R3.2-x86_64.iso.asc Qubes-R3.2-x86_64.iso_WEBDL
  gpg: Signature made Tue Sep 20 18:33:37 2016 BST using RSA key ID 03FA5082
  gpg: Good signature from "Qubes OS Release 3 Signing Key" [full]

Of course (skipping merrily off into tinfoil-hat-land) that doesn't eliminate the possibility that the OP's download had been MITM-ed. However this would have to be by someone who:

1) Controls part of the network infrastructure between them and mirrors.kernel.org (i.e. routers, cables or DNS)

2) Can fake a TLS certificate for mirrors.kernel.org

So, corrupted download or a targeted MITM attack by a state-level actor? Who the hell knows anymore.