On Mon, 22 Jul 2013 08:13:23 +0900 Gaetan Bisson <bisson@archlinux.org> wrote:
[2013-07-21 18:56:28 -0400] Leonid Isaev:
Is there a particular reason why the images themselves are signed as opposed to only their checksum files? For instance, Fedora provides sha256sums with inline sigs [1], and verifying image checksum + checksum file signature is _much_ less CPU and memory demanding than verifying signature of an entire image.
Is it really?
No, you are right, gpg and sha256sum takes the same amount of time with gnupg 2.0.20. Before, I tested with 1.4 -- not sure why computing the checksums was faster...
Because that's how OpenPGP signatures work internally: they first compute a hash of the content to be signed, and then sign that. The default hash in recent GPG versions is SHA256. The only slow down I could think of is if GPG first tries to compress the content to be signed, but this should not be the case with our ISOs...
Thanks, I didn't know that. -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D