Post-quantum cryptographic signatures for every commit, artifact, and container image. One CLI command. Every CI/CD pipeline. Sigstore compatible. Built for the post-SolarWinds era.
18,000 organizations received compromised updates. Build artifacts were unsigned or signing was bypassed. Nation-state actors injected malicious code into trusted software.
A backdoor was inserted into a critical compression library over two years of social engineering. The maintainer's GPG key provided zero supply-chain integrity.
Harvest-now-decrypt-later attacks are already underway. Classical signatures will be broken by cryptographically relevant quantum computers within this decade.
ML-DSA-65 (FIPS 204) key pair seeded with quantum entropy. Non-deterministic from creation.
SHA-256 hash + quantum nonce + timestamp. Unique signature every time, even for identical inputs.
Public endpoint. No account needed. Cryptographic proof, not trust. Anchored to Sigstore Rekor.
- uses: quantum-code-sign/sign@v1
with:
api_key: ${{ secrets.QCS_KEY }}
key_id: ${{ secrets.KEY_ID }}
artifact_path: ./dist/app.tar.gz
sign_commit: true
include: - remote: 'qcs/template' variables: QCS_ARTIFACT_PATH: ./dist/app.tar.gz QCS_SIGN_COMMIT: "true"
orbs:
qcs: quantum-code-sign/sign@0.1
workflows:
sign:
jobs:
- qcs/sign:
artifact_path: ./dist/app.tar.gz
Every signature generates a Sigstore-compatible bundle. Verify with cosign or the Rekor API.