[2013-07-21 18:56:28 -0400] Leonid Isaev: > Is there a particular reason why the images themselves are signed as > opposed to only their checksum files? For instance, Fedora provides > sha256sums with inline sigs [1], and verifying image checksum + checksum file > signature is _much_ less CPU and memory demanding than verifying signature of > an entire image. Is it really? Because that's how OpenPGP signatures work internally: they first compute a hash of the content to be signed, and then sign that. The default hash in recent GPG versions is SHA256. The only slow down I could think of is if GPG first tries to compress the content to be signed, but this should not be the case with our ISOs... -- Gaetan
Attachment:
pgp4Iz6FytgkJ.pgp
Description: PGP signature
