On Mon, 22 Jul 2013 08:13:23 +0900 Gaetan Bisson <bisson@xxxxxxxxxxxxx> wrote: > [2013-07-21 18:56:28 -0400] Leonid Isaev: > > Is there a particular reason why the images themselves are signed > > as opposed to only their checksum files? For instance, Fedora provides > > sha256sums with inline sigs [1], and verifying image checksum + checksum > > file signature is _much_ less CPU and memory demanding than verifying > > signature of an entire image. > > Is it really? No, you are right, gpg and sha256sum takes the same amount of time with gnupg 2.0.20. Before, I tested with 1.4 -- not sure why computing the checksums was faster... > > Because that's how OpenPGP signatures work internally: they first > compute a hash of the content to be signed, and then sign that. The > default hash in recent GPG versions is SHA256. The only slow down I > could think of is if GPG first tries to compress the content to be > signed, but this should not be the case with our ISOs... > Thanks, I didn't know that. -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Attachment:
signature.asc
Description: PGP signature
