[arch-general] Archlinux ISO signing

Gaetan Bisson bisson at archlinux.org
Sun Jul 21 19:13:23 EDT 2013

[2013-07-21 18:56:28 -0400] Leonid Isaev:
> 	Is there a particular reason why the images themselves are signed as
> opposed to only their checksum files? For instance, Fedora provides
> sha256sums with inline sigs [1], and verifying image checksum + checksum file
> signature is _much_ less CPU and memory demanding than verifying signature of
> an entire image.

Is it really?

Because that's how OpenPGP signatures work internally: they first
compute a hash of the content to be signed, and then sign that. The
default hash in recent GPG versions is SHA256. The only slow down I
could think of is if GPG first tries to compress the content to be
signed, but this should not be the case with our ISOs...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20130722/7467879d/attachment.asc>

More information about the arch-general mailing list