Skip to content

[Feature Request] ML-DSA (FIPS 204) post-quantum signing and verification support #4960

Description

@netanmangal

Summary

Sigstore's PQC blog post committed to ML-DSA support, and the groundwork has been laid (protobuf-specs define ML-DSA algorithm IDs, Trail of Bits built cryptographic agility, --signing-algorithm flag exists). But cosign itself cannot generate ML-DSA keys, sign with ML-DSA, or verify ML-DSA signatures today.

This issue tracks the remaining work to deliver ML-DSA support in cosign.

What's Already Done

Component Status
protobuf-specs ML-DSA enum values (23, 21, 22) Defined, marked "Experimental"
--signing-algorithm flag (cosign PR #3497) Merged
Hardcoded SHA-256 removal (cosign PR #4050) Merged
Fulcio --client-signing-algorithms (PR #1938, #1959) Merged
Rekor --client-signing-algorithms (PR #1974, #1945) Merged
sigstore-go ML-DSA Keypair interface Available for experimentation
Trail of Bits ML-DSA proof-of-concept Built

What's Missing

# These should work but don't yet:
cosign generate-key-pair --algorithm ml-dsa-65
cosign sign --key cosign.key myregistry/myimage:latest
cosign verify --key cosign.pub myregistry/myimage:latest

Specifically:

  • ML-DSA key pair generation in cosign CLI
  • ML-DSA signing of container images and artifacts
  • ML-DSA signature verification
  • Fulcio ML-DSA certificate issuance (ephemeral keys)
  • Rekor ML-DSA signature storage and verification
  • Hybrid mode: dual-sign with ECDSA + ML-DSA for backward compatibility
  • Remove "Experimental" status from protobuf-specs ML-DSA entries

Blocker Status

The blog post cited Go's crypto/mldsa as the blocker for public instance adoption.
This blocker is resolving: Go 1.27's crypto/mldsa proposal has been
Accepted and will ship ~Aug/Sep 2026 with a public API for ML-DSA-44, ML-DSA-65, and ML-DSA-87.

Why This Matters

Container images and software artifacts may be verified years after signing. Unlike TLS (where the handshake is ephemeral), a signature on a container image persists indefinitely. This makes supply chain signing a prime target for "harvest now, forge later" attacks - an adversary who obtains a quantum computer could forge ECDSA signatures on existing artifacts.

France's ANSSI will stop certifying non-PQC products from 2027. Supply chain security tooling needs to lead this transition.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions