[arch-general] Archlinux ISO signing
Hi, One of the ways to verify an archlinux iso image is via its gpg signature. However, doing this on an atom/geode system with < 1GiB of RAM is definitely not fun. And I suppose it also takes noticeable time to sign, even on an opteron/xeon server. Is there a particular reason why the images themselves are signed as opposed to only their checksum files? For instance, Fedora provides sha256sums with inline sigs [1], and verifying image checksum + checksum file signature is _much_ less CPU and memory demanding than verifying signature of an entire image. Thanks, Leonid. [1] http://mirrors.kernel.org/fedora/releases/19/Live/x86_64/Fedora-Live-x86_64-... -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
[2013-07-21 18:56:28 -0400] Leonid Isaev:
Is there a particular reason why the images themselves are signed as opposed to only their checksum files? For instance, Fedora provides sha256sums with inline sigs [1], and verifying image checksum + checksum file signature is _much_ less CPU and memory demanding than verifying signature of an entire image.
Is it really? Because that's how OpenPGP signatures work internally: they first compute a hash of the content to be signed, and then sign that. The default hash in recent GPG versions is SHA256. The only slow down I could think of is if GPG first tries to compress the content to be signed, but this should not be the case with our ISOs... -- Gaetan
On Mon, 22 Jul 2013 08:13:23 +0900 Gaetan Bisson <bisson@archlinux.org> wrote:
[2013-07-21 18:56:28 -0400] Leonid Isaev:
Is there a particular reason why the images themselves are signed as opposed to only their checksum files? For instance, Fedora provides sha256sums with inline sigs [1], and verifying image checksum + checksum file signature is _much_ less CPU and memory demanding than verifying signature of an entire image.
Is it really?
No, you are right, gpg and sha256sum takes the same amount of time with gnupg 2.0.20. Before, I tested with 1.4 -- not sure why computing the checksums was faster...
Because that's how OpenPGP signatures work internally: they first compute a hash of the content to be signed, and then sign that. The default hash in recent GPG versions is SHA256. The only slow down I could think of is if GPG first tries to compress the content to be signed, but this should not be the case with our ISOs...
Thanks, I didn't know that. -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
participants (2)
-
Gaetan Bisson
-
Leonid Isaev