21 Jul
2013
21 Jul
'13
11:13 p.m.
[2013-07-21 18:56:28 -0400] Leonid Isaev:
Is there a particular reason why the images themselves are signed as opposed to only their checksum files? For instance, Fedora provides sha256sums with inline sigs [1], and verifying image checksum + checksum file signature is _much_ less CPU and memory demanding than verifying signature of an entire image.
Is it really? Because that's how OpenPGP signatures work internally: they first compute a hash of the content to be signed, and then sign that. The default hash in recent GPG versions is SHA256. The only slow down I could think of is if GPG first tries to compress the content to be signed, but this should not be the case with our ISOs... -- Gaetan