Find quantum risk in your code-signing workflows
Release artifacts, container images, and packages are signed with RSA or ECDSA keys today. PostQ helps you discover where those signing keys and certificates live so you can plan a migration toward hybrid and post-quantum signatures.
- Inventory code-signing certificates and keys
- Flag quantum-vulnerable signing algorithms (RSA, ECDSA, EdDSA)
- Map CI/CD signing workflows and release pipelines
- Plan a path toward hybrid ML-DSA + classical signatures
Why code signing needs a migration plan
Signatures verify the integrity and provenance of what you ship. If a signing key is quantum-vulnerable, a future adversary could forge signatures on malicious artifacts. Long-lived release signatures are especially worth inventorying early.
What to inventory first
- Code-signing certificates and their public-key algorithms
- CI/CD signing keys and where they're stored (KMS, HSM, Vault)
- JWT algorithms used for service-to-service and release tokens
- Container image and package signing configurations
Hybrid signatures during transition
A hybrid signature combines a classical algorithm (e.g. Ed25519) with a post-quantum algorithm (ML-DSA) so a break in either alone cannot forge a signature. PostQ's broader platform supports hybrid signing; the scanner's job here is discovery and readiness.
Inventory your code-signing workflows
Scan a repository in the PostQ dashboard to discover signing certificates, CI/CD keys, and JWT algorithms — then plan a path to hybrid ML-DSA signatures.
Algorithms that need a migration plan
| RSA | Integer factorisation — broken by Shor's algorithm. |
| ECDSA | Elliptic-curve discrete log — broken by Shor's algorithm. |
| DH | Finite-field Diffie-Hellman — quantum-vulnerable key exchange. |
| ECDH | Elliptic-curve Diffie-Hellman — quantum-vulnerable key exchange. |
| X25519 | Modern ECDH curve, still classical and quantum-vulnerable. |
| Ed25519 | Modern EdDSA signature, still classical and quantum-vulnerable. |
| RS256 | JWT RSA-SHA256 signature — quantum-vulnerable public-key signature. |
| ES256 | JWT ECDSA-P256 signature — quantum-vulnerable public-key signature. |
NIST-standardised replacements
| ML-KEM (FIPS 203) | Key encapsulation / key exchange (formerly Kyber). |
| ML-DSA (FIPS 204) | Digital signatures (formerly Dilithium). |
| SLH-DSA (FIPS 205) | Stateless hash-based signatures (formerly SPHINCS+). |
PostQ detects where quantum-vulnerable algorithms are used and reports them. We don’t claim a target algorithm is supported in your stack unless detection confirms it.
Frequently asked questions
Is code signing affected by quantum computers?
Yes. Code-signing typically uses RSA or ECDSA, both quantum-vulnerable. A cryptographically relevant quantum computer could forge signatures, undermining artifact integrity and provenance.
What replaces quantum-vulnerable code-signing algorithms?
NIST's ML-DSA (FIPS 204) and the hash-based SLH-DSA (FIPS 205) are the standardized signature replacements. Hybrid composite signatures (classical + ML-DSA) are a practical transitional approach.
How does PostQ help with code-signing risk?
PostQ discovers and inventories your signing certificates, keys, and JWT algorithms so you can prioritize migration. We focus on discovery and readiness; we don't claim to automatically migrate every signing workflow.
Should I migrate code signing before TLS?
It depends on exposure and asset lifetime. Long-lived release signatures and high-value artifacts are good early candidates. Use a readiness assessment to prioritize.
Run a free PQC readiness scan
Scan any public domain for quantum-vulnerable TLS, certificate, and key-exchange cryptography. No signup required.
No signup required for the basic TLS scan. We only inspect public metadata.