// kit 01

PQC Toolkit

Production-ready post-quantum crypto. Pick stack, pick primitive, copy the code.

$ lib/release-signing.ts
L1
TS
1import { slh_dsa_sha2_128s as slh } from '@noble/post-quantum/slh-dsa';
2import { readFileSync, writeFileSync } from 'node:fs';
3import { createHash } from 'node:crypto';
4 
5// One-shot release signing. Used for:
6// - npm package tarballs
7// - container image manifests
8// - SBOM provenance
9export function signRelease(artifactPath: string, privKey: Uint8Array) {
10 const bytes = readFileSync(artifactPath);
11 const digest = createHash('sha384').update(bytes).digest();
12 const sig = slh.sign(digest, privKey);
13 writeFileSync(artifactPath + '.slh-dsa.sig', Buffer.from(sig));
14 return sig;
15}
16 
17export function verifyRelease(artifactPath: string, sig: Uint8Array, pubKey: Uint8Array) {
18 const bytes = readFileSync(artifactPath);
19 const digest = createHash('sha384').update(bytes).digest();
20 return slh.verify(sig, digest, pubKey);
21}
KEY SIZE
32 B pub
SIG / CT
7856 B sig
NIST LEVEL
L1
NOTES

SLH-DSA-128s is the conservative pick: security reduces to your hash function only.

  • Use for things you sign once and verify forever.
  • 8 KB signatures. Acceptable for a 100 MB artifact, terrible for per-request auth.
  • 32 B public key — trivial to distribute to verifiers.