1

Archlinux ISO signing

view story
linux-howto

http://archlinux.2023198.n4.nabble.com – Hi,         One of the ways to verify an archlinux iso image is via its gpg signature. However, doing this on an atom/geode system with < 1GiB of RAM is definitely not fun. And I suppose it also takes noticeable time to sign, even on an opteron/xeon server.         Is there a particular reason why the images themselves are signed as opposed to only their checksum files? For instance, Fedora provides sha256sums with inline sigs [1], and verifying image checksum + checksum file signature is _much_ less CPU and memory demanding than verifying signature o (Distributions)