[arch-general] Archlinux ISO signing

Leonid Isaev lisaev at umail.iu.edu
Sun Jul 21 18:56:28 EDT 2013


Hi,

	One of the ways to verify an archlinux iso image is via its gpg
signature. However, doing this on an atom/geode system with < 1GiB of RAM is
definitely not fun. And I suppose it also takes noticeable time to sign, even
on an opteron/xeon server.
	Is there a particular reason why the images themselves are signed as
opposed to only their checksum files? For instance, Fedora provides
sha256sums with inline sigs [1], and verifying image checksum + checksum file
signature is _much_ less CPU and memory demanding than verifying signature of
an entire image.

Thanks,
Leonid.

[1]
http://mirrors.kernel.org/fedora/releases/19/Live/x86_64/Fedora-Live-x86_64-19-CHECKSUM

-- 
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20130721/ddd55e1c/attachment.asc>


More information about the arch-general mailing list