[arch-general] Archlinux ISO signing

Leonid Isaev lisaev at umail.iu.edu
Mon Jul 22 12:34:50 EDT 2013

On Mon, 22 Jul 2013 08:13:23 +0900
Gaetan Bisson <bisson at archlinux.org> wrote:

> [2013-07-21 18:56:28 -0400] Leonid Isaev:
> > 	Is there a particular reason why the images themselves are signed
> > as opposed to only their checksum files? For instance, Fedora provides
> > sha256sums with inline sigs [1], and verifying image checksum + checksum
> > file signature is _much_ less CPU and memory demanding than verifying
> > signature of an entire image.
> Is it really?

No, you are right, gpg and sha256sum takes the same amount of time with gnupg

Before, I tested with 1.4 -- not sure why computing the checksums was faster...

> Because that's how OpenPGP signatures work internally: they first
> compute a hash of the content to be signed, and then sign that. The
> default hash in recent GPG versions is SHA256. The only slow down I
> could think of is if GPG first tries to compress the content to be
> signed, but this should not be the case with our ISOs...

Thanks, I didn't know that.

Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20130722/8e340821/attachment-0001.asc>

More information about the arch-general mailing list