GPG supports the identity of the person distributing the file. SHAsum supports the identity of the file.
GPG, for instance, requires that someone owns a private key file, and they often use that keyfile in communication with other people, so there's a sense that yes, this keyfile is a file that This Person owns and has a passphrase to use, so I trust that when I get a file that is signed with that keyfile's signature, then it really is something coming from that person. (unless that person has been captured and tortured, or had both their keyfile AND passphrase stolen).
A SHAsum just looks at bits and verifies that they haven't changed. That's usually pretty good, but from what I understand, it can eventually be spoofed (not easily, but still...). There's no sense of personal interaction, either, so if an ISO gets posted online and they're always signed by this one dev, but suddenly it's signed with a different key, I might be prompted to investigate what's going on - was the old key deprecated and s/he has a new key now, or is someone trying to slip something by me?
There may be lower level reasons (gpg integration with a build system, that sort of thing) but that's my understanding of the reasoning.
|