[arch-general] Archlinux ISO signing

Leonid Isaev lisaev at umail.iu.edu
Sun Jul 21 18:56:28 EDT 2013


	One of the ways to verify an archlinux iso image is via its gpg
signature. However, doing this on an atom/geode system with < 1GiB of RAM is
definitely not fun. And I suppose it also takes noticeable time to sign, even
on an opteron/xeon server.
	Is there a particular reason why the images themselves are signed as
opposed to only their checksum files? For instance, Fedora provides
sha256sums with inline sigs [1], and verifying image checksum + checksum file
signature is _much_ less CPU and memory demanding than verifying signature of
an entire image.



Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20130721/ddd55e1c/attachment.asc>

More information about the arch-general mailing list