>If someone is able to provide a fake ISO, he will also provide fake >SHA256.sig and/or fake public key on the ISO. So there is no gain to >provide such material as people will think "it is safe" whereas it is >not.
that is true. however, the real reason it isn't on the media is that internal signing followed by exterior signing doesn't work with the snapshot release sequence i follow. and since snapshots don't have the interior signing, neither do releases. not that it matters. it's a great time to raise a rather late flag to the user and say "hey, did you perform diligence?". late, because they've already booted the media. we can't do much before they boot, and the moment this occurs is easy for us.
