// kit 01
PQC Toolkit
Production-ready post-quantum crypto. Pick stack, pick primitive, copy the code.
$ release_sign.py
L1
1 from pqcrypto.sign import sphincs_sha2_128s_simple as slh 2 from hashlib import sha384 3 from pathlib import Path 4 import sys 5 6 def sign(artifact: Path, priv: bytes) -> bytes: 7 digest = sha384(artifact.read_bytes()).digest() 8 sig = slh.sign(priv, digest) 9 (artifact.with_suffix(artifact.suffix + ".slh-dsa.sig")).write_bytes(sig) 10 return sig 11 12 def verify(artifact: Path, sig: bytes, pub: bytes) -> bool: 13 digest = sha384(artifact.read_bytes()).digest() 14 try: 15 slh.verify(pub, digest, sig) 16 return True 17 except Exception: 18 return False 19 20 if __name__ == "__main__": 21 cmd, path = sys.argv[1], Path(sys.argv[2]) 22 pub, priv = slh.generate_keypair() 23 if cmd == "sign": 24 sign(path, priv); print("OK") 25 elif cmd == "verify": 26 sig = path.with_suffix(path.suffix + ".slh-dsa.sig").read_bytes() 27 print("OK" if verify(path, sig, pub) else "BAD")
KEY SIZE
32 B pub
SIG / CT
7856 B sig
NIST LEVEL
L1
NOTES
Use in CI to sign release artifacts.
- Pin the package version.
sphincs_sha2_128s_simpleis wire-compatible with SLH-DSA-SHA2-128s. - Store the private key in a CI vault accessible only by signed-tag jobs.
- Publish the public key in your repo README and a separate channel for triangulation.