the network installer has the key needed to validate the packages. the media the packages come from does not materially change things (it's just network vs disk)
if you are behind GREAT FIREWALL of X, you have no way of knowing if the install media you are using has been tampered with, you have no way of knowing if your attempts to validate the key are being tampered with, you could try and make a phone call to someone outside the firewall, or smuggle in media from outside and validate things that way
But once you have trusted install media (for whatever value of trust you want to go to), that install media will validate the packages.
The chain of trust is traceable to individual keys, not to CA entities, so the fact that the government is a CA entity doesn't change things.