// kit 01
PQC Toolkit
Production-ready post-quantum crypto. Pick stack, pick primitive, copy the code.
$ lib/release-signing.ts
L1
1 import { slh_dsa_sha2_128s as slh } from '@noble/post-quantum/slh-dsa'; 2 import { readFileSync, writeFileSync } from 'node:fs'; 3 import { createHash } from 'node:crypto'; 4 5 // One-shot release signing. Used for: 6 // - npm package tarballs 7 // - container image manifests 8 // - SBOM provenance 9 export function signRelease(artifactPath: string, privKey: Uint8Array) { 10 const bytes = readFileSync(artifactPath); 11 const digest = createHash('sha384').update(bytes).digest(); 12 const sig = slh.sign(digest, privKey); 13 writeFileSync(artifactPath + '.slh-dsa.sig', Buffer.from(sig)); 14 return sig; 15 } 16 17 export function verifyRelease(artifactPath: string, sig: Uint8Array, pubKey: Uint8Array) { 18 const bytes = readFileSync(artifactPath); 19 const digest = createHash('sha384').update(bytes).digest(); 20 return slh.verify(sig, digest, pubKey); 21 }
KEY SIZE
32 B pub
SIG / CT
7856 B sig
NIST LEVEL
L1
NOTES
SLH-DSA-128s is the conservative pick: security reduces to your hash function only.
- Use for things you sign once and verify forever.
- 8 KB signatures. Acceptable for a 100 MB artifact, terrible for per-request auth.
- 32 B public key — trivial to distribute to verifiers.