http://ftp.debian.org/debian/dists/sarge/main/installer-i386/current/images/ contains images used during installation of sarge, whose MD5 sums aren't signed. There's no way to verify the files you download are released by the Debian project, and not the result of a man-in-the-middle attack.
Still MD5sums aren't signed.