Summary
Sigstore's PQC blog post committed to ML-DSA support, and the groundwork has been laid (protobuf-specs define ML-DSA algorithm IDs, Trail of Bits built cryptographic agility, --signing-algorithm flag exists). But cosign itself cannot generate ML-DSA keys, sign with ML-DSA, or verify ML-DSA signatures today.
This issue tracks the remaining work to deliver ML-DSA support in cosign.
What's Already Done
| Component |
Status |
| protobuf-specs ML-DSA enum values (23, 21, 22) |
Defined, marked "Experimental" |
--signing-algorithm flag (cosign PR #3497) |
Merged |
| Hardcoded SHA-256 removal (cosign PR #4050) |
Merged |
Fulcio --client-signing-algorithms (PR #1938, #1959) |
Merged |
Rekor --client-signing-algorithms (PR #1974, #1945) |
Merged |
| sigstore-go ML-DSA Keypair interface |
Available for experimentation |
| Trail of Bits ML-DSA proof-of-concept |
Built |
What's Missing
# These should work but don't yet:
cosign generate-key-pair --algorithm ml-dsa-65
cosign sign --key cosign.key myregistry/myimage:latest
cosign verify --key cosign.pub myregistry/myimage:latest
Specifically:
Blocker Status
The blog post cited Go's crypto/mldsa as the blocker for public instance adoption.
This blocker is resolving: Go 1.27's crypto/mldsa proposal has been
Accepted and will ship ~Aug/Sep 2026 with a public API for ML-DSA-44, ML-DSA-65, and ML-DSA-87.
Why This Matters
Container images and software artifacts may be verified years after signing. Unlike TLS (where the handshake is ephemeral), a signature on a container image persists indefinitely. This makes supply chain signing a prime target for "harvest now, forge later" attacks - an adversary who obtains a quantum computer could forge ECDSA signatures on existing artifacts.
France's ANSSI will stop certifying non-PQC products from 2027. Supply chain security tooling needs to lead this transition.
References
Summary
Sigstore's PQC blog post committed to ML-DSA support, and the groundwork has been laid (protobuf-specs define ML-DSA algorithm IDs, Trail of Bits built cryptographic agility,
--signing-algorithmflag exists). But cosign itself cannot generate ML-DSA keys, sign with ML-DSA, or verify ML-DSA signatures today.This issue tracks the remaining work to deliver ML-DSA support in cosign.
What's Already Done
--signing-algorithmflag (cosign PR #3497)--client-signing-algorithms(PR #1938, #1959)--client-signing-algorithms(PR #1974, #1945)What's Missing
# These should work but don't yet: cosign generate-key-pair --algorithm ml-dsa-65 cosign sign --key cosign.key myregistry/myimage:latest cosign verify --key cosign.pub myregistry/myimage:latestSpecifically:
Blocker Status
The blog post cited Go's
crypto/mldsaas the blocker for public instance adoption.This blocker is resolving: Go 1.27's
crypto/mldsaproposal has beenAccepted and will ship ~Aug/Sep 2026 with a public API for ML-DSA-44, ML-DSA-65, and ML-DSA-87.
Why This Matters
Container images and software artifacts may be verified years after signing. Unlike TLS (where the handshake is ephemeral), a signature on a container image persists indefinitely. This makes supply chain signing a prime target for "harvest now, forge later" attacks - an adversary who obtains a quantum computer could forge ECDSA signatures on existing artifacts.
France's ANSSI will stop certifying non-PQC products from 2027. Supply chain security tooling needs to lead this transition.
References