Why aren't installer isos gpg signed?



  • When downloading a Linux installer iso, the user is supposed to check the iso with sha or m5sum and compare the result against a checksum file, and then check the gpg signature of the checksum file.

    If I understand it right, the checksum is to test for iso integrity (iso not corrupted) and that gpg checks that the checksum was not manipulated. So why is the iso itself not signed?



  • It's faster and easier for the vast majority of users to just use sha1sum or md5sum than to import the GPG key and check it.

    And if an attacker could change the hashes on the official site, the same attacker would be able to change the keys there too.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2