Story (Required)

As an admin leveraging Tekton Chains for signing build artifacts, I want support for post-quantum (PQ) signatures using quantum-resistant algorithms
So that I can ensure long-term security and compliance with emerging cryptographic standards in the face of quantum computing threats.

This feature enables customers to future-proof their software supply chains by adopting cryptographic algorithms that are resilient against both classical and quantum attacks. It supports security mandates (such as CNSA 2.0)

Background (Required)

Currently, Tekton Chains supports digital signing of build artifacts using:

• x509 keys (Ed25519, ECDSA)

• Cosign (which uses ECDSA-P256)

• KMS systems

• Experimental keyless signing with Fulcio (Sigstore CA)

 However, all of these options rely on classical public-key cryptography, which is vulnerable to quantum attacks.
If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.  The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks.” https://csrc.nist.gov/Projects/post-quantum-cryptography

NIST has created the first four post-quantum cryptographic algorithms and provided them as part of what will be adopted as the industry standard. In order for Red Hat to compete in this market, we will need to provide robust capability here.

CNSA Timeline and Government Mandate that is driving this work: https://drive.google.com/file/d/1OnjMkLstz_XbgbBy7ECaPoL_7LVEoPcV/view?usp=drive_link 

Out of scope

• Migration or replacement of existing classical signature implementations (ECDSA, Ed25519)

• Full integration with PQC-enabled KMS solutions
• PQ support for Fulcio keyless workflows 

Approach (Required)

• Integrate PQ signature support via Cosign(track sigstore experimental work on pqc).  https://issues.redhat.com/browse/OCTOET-865
• Add support for signing artifacts using X.509 certificates that embed ML-DSA (or hybrid ML-DSA + ECDSA) via Cosign.
• Support generation, storage, and verification of PQ signatures in Tekton Chains' signing flow
• Allow user configuration via ChainsConfig CRD to opt into PQ signing
• Provide examples and test cases using PQ signing

Dependencies

• Sigstore/Cosign support for PQC algorithms (e.g., Cosign  Dilithium support)
•  

Acceptance Criteria (Mandatory)

• PQ signature algorithm is supported in Chains using Cosign or direct signing(x509)
• Chains can generate valid PQ signatures and attach them to OCI image artifacts or attestations
• Chains can generate valid PQ signatures and attach them to OCI image artifacts or attestations
• Configuration exists to enable/disable PQ signing
• Signing metadata includes algorithm type
• Documentation added for enabling and using PQ signing

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

Done Checklist

• Code is completed, reviewed, documented and checked in
• Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
• Continuous Delivery pipeline(s) is able to proceed with new code included
• Customer facing documentation, API docs etc. are produced/updated, reviewed and published
• Acceptance criteria are met