Skip to content

Add ML-DSA support#1124

Draft
jku wants to merge 5 commits into
secure-systems-lab:mainfrom
jku:mldsa
Draft

Add ML-DSA support#1124
jku wants to merge 5 commits into
secure-systems-lab:mainfrom
jku:mldsa

Conversation

@jku
Copy link
Copy Markdown
Collaborator

@jku jku commented May 12, 2026
edited
Loading

This is a DRAFT implementation of a proposed TAP: theupdateframework/taps#195

This currently enables the ML-DSA for verification and signing by default for easier testing: In reality, if the TAP stays unapproved, we may want to leave the verify support disabled until TAP is approved.

Support is added to

  • SSLibKey (Verification in general)
  • Cryptosigner (Signing with keys-on-disk)
  • GCPsigner (Signing with Google Cloud KMS)

This makes cryptography 48 a requirement

  • we could make this more complicated with a separate feature that only requires 48 if enabled but I'm not going to unless someone has a good reason for it
  • ML-DSA support was added in 47 already but support via openssl only became available in 48

Currently sigstore is not compatible with new cryptography so those tests fails -- it just needs a new release

The test code is from AI.

jku added 2 commits May 12, 2026 14:27
@jku
Add ML-DSA support
c7d7de7 
This is related to proposed TAP:
theupdateframework/taps#195

This currently enables the key for verification and signing for easier
testing: In reality we may want to leave the verify support disabled
until the TAP is approved.

This makes cryptography 48 a requirement
* we could make this more complicated with a separate feature
  but I'm not going to unless someone has a good reason for it
* ML-DSA support was added in 47 already but support via openssl
  only became available in 48

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Add ML-DSA support to GCPSigner
59656ef 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Copy link
Copy Markdown
Collaborator Author

jku commented May 12, 2026

Test run on GCP: https://github.com/secure-systems-lab/securesystemslib/actions/runs/25749092040/job/75620285276: looks ok

jku added 3 commits May 13, 2026 11:38
@jku
Refactor to make linter happier
c5bded4 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
More refactor to keep linter happy
9f4ca0b 
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku
Linter fixes, add a linter skip
95266f1 
The skip is for SSLibKey._verify: I think it makes sense
to be a longer function

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
jku
jku commented May 13, 2026
View reviewed changes
Comment thread securesystemslib/signer/_crypto_signer.py
]:
if not isinstance(private_key, RSAPrivateKey):
raise ValueError(f"invalid rsa key: {type(private_key)}")
assert_type("rsa", private_key, RSAPrivateKey)
Copy link
Copy Markdown
Collaborator Author

@jku jku May 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all these assert tweaks are just to keep linter happy ("too many branches"): the functionality should not change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jku