The signature size is roughly proportional to the number of files in
the package.
Can you explain how the signature is performed? I assume that the
verity
top-level hash is calculated for each file and then … ?
And if you have all the per-file hashes, why not do one more level of
Merkle and calculate a single hash for all the files in the rpm and sign
that (so that the signature overhead is of fixed size)?
Zbyszek