On Tue, Aug 28, 2012 at 6:53 PM, Johnny A. Solbu <[email protected]> wrote: > On Monday 27 August 2012 15:55, Alejandro López wrote: >> Maybe it could be worth downloading a single compressed file containing the >> ISO image, the checksums and the signatures. > > Then how do you verify the compressed archive contaning the iso with > signature and checksums? You need another signature file and checksum files > to check the archive, thus defeating the purpose.
You don't have to sign this again: - you check the checksums against the iso file, - you check the signatures of checksums are correct and match the right key (here Mageia's public key), - and you're done. If someone tampers with the ISO and/or checksums, the signature check will fail.
