// kit 01

PQC Toolkit

Production-ready post-quantum crypto. Pick stack, pick primitive, copy the code.

$ release_sign.py
L1
PYTHON
1from pqcrypto.sign import sphincs_sha2_128s_simple as slh
2from hashlib import sha384
3from pathlib import Path
4import sys
5 
6def sign(artifact: Path, priv: bytes) -> bytes:
7 digest = sha384(artifact.read_bytes()).digest()
8 sig = slh.sign(priv, digest)
9 (artifact.with_suffix(artifact.suffix + ".slh-dsa.sig")).write_bytes(sig)
10 return sig
11 
12def verify(artifact: Path, sig: bytes, pub: bytes) -> bool:
13 digest = sha384(artifact.read_bytes()).digest()
14 try:
15 slh.verify(pub, digest, sig)
16 return True
17 except Exception:
18 return False
19 
20if __name__ == "__main__":
21 cmd, path = sys.argv[1], Path(sys.argv[2])
22 pub, priv = slh.generate_keypair()
23 if cmd == "sign":
24 sign(path, priv); print("OK")
25 elif cmd == "verify":
26 sig = path.with_suffix(path.suffix + ".slh-dsa.sig").read_bytes()
27 print("OK" if verify(path, sig, pub) else "BAD")
KEY SIZE
32 B pub
SIG / CT
7856 B sig
NIST LEVEL
L1
NOTES

Use in CI to sign release artifacts.

  • Pin the package version. sphincs_sha2_128s_simple is wire-compatible with SLH-DSA-SHA2-128s.
  • Store the private key in a CI vault accessible only by signed-tag jobs.
  • Publish the public key in your repo README and a separate channel for triangulation.