Skip to content

feat(kms): add post-quantum signing example using ML-DSA-87#415

Open
a-custodio wants to merge 15 commits into
GoogleCloudPlatform:mainfrom
a-custodio:feat/pqc-pdf-signing-example
Open

feat(kms): add post-quantum signing example using ML-DSA-87#415
a-custodio wants to merge 15 commits into
GoogleCloudPlatform:mainfrom
a-custodio:feat/pqc-pdf-signing-example

Conversation

@a-custodio

@a-custodio a-custodio commented Jun 8, 2026

Copy link
Copy Markdown

This PR adds a comprehensive sample demonstrating Post-Quantum Cryptography (PQC) for digital signatures. It implements the ML-DSA-87 algorithm using Google Cloud KMS and provides a complete workflow for infrastructure provisioning, signing, and verification.

Implementation Details

  • Infrastructure: Provisions a KMS KeyRing and CryptoKey with ALGORITHM_ML_DSA_87 via Terraform.
  • Verification Logic: Implements a robust verification mechanism that handles the OpenSSL 3.5+ dependency by leveraging a sidecar Docker container (alpine:latest). This ensures cross-platform compatibility for NIST-standardized PQC algorithms.
  • Scripts:
    • sign.sh: Wraps gcloud kms asymmetric-sign.
    • verify.sh: Exports public key and performs verification via OpenSSL 3.5.

Test Plan

  • Integration Tests: A new test suite has been added to test/integration/pqr-kms-signing/ using blueprint-test.
  • Manual Verification:
    • Successfully deployed via terraform apply.
    • Verified signing and validation on Linux/macOS.
    • Confirmed that tampered files correctly fail verification.

Test Logs:

1 --- PASS: TestPQRSigningModule (145.23s)
2 pqr_kms_signing_test.go:78: Signature is VALID!
3 pqr_kms_signing_test.go:85: Verify script should fail on tampered content
4 PASS
5 ok pqr_kms_signing 145.23s

a-custodio added 15 commits May 8, 2026 09:55
@a-custodio
feat: add post-quantum KMS signing example using ML-DSA-65
f4c4d02 
Add a new example demonstrating how to use Google Cloud KMS with a
post-quantum cryptographic key (ML-DSA-65) to sign documents and
verify signatures, producing a .sig file.
@a-custodio
fix: add missing backslash on makefile docker_generate_docs
68941d6
@a-custodio
chore: add headers and fix lint erros
0d56bd7
@a-custodio
chore: fix lint erros and change the algorithm to ML-DSA-87
c67bec5
@a-custodio
feat: change the algorithm field to a environment var
d6ebec1
@a-custodio
chore: attending review fixes
9f5ad74
@a-custodio
chore: review fixes
337a718
@a-custodio
refactor: replace Python CLI with Bash scripts for simpler PQC signin…
076e8e0 
…g workflow
@a-custodio
fix: readme file on wrong folder
0151c13
@a-custodio
fix: review fixes
3b8c0e9
@a-custodio
fix: review fixes
d49b210
@a-custodio
feat: adding integration test
0a28e80
@a-custodio
refactor: refactor post quantum cites
21aad7a
@a-custodio
chore: updating docs
f011d00
@a-custodio
chore: lint
ef35a22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brandonluong-lgtm brandonluong-lgtm Awaiting requested review from brandonluong-lgtm brandonluong-lgtm is a code owner

@erlanderlo erlanderlo Awaiting requested review from erlanderlo erlanderlo is a code owner

@g-swap g-swap Awaiting requested review from g-swap g-swap is a code owner

@tdbhacks tdbhacks Awaiting requested review from tdbhacks tdbhacks is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@a-custodio