As quantum computers rapidly increase in size and relevance, all public key systems that rely solely on RSA or elliptic curve cryptography are under threat. So, how do you protect your software supply chain? If you sign your software or artifacts, this talk is for you.

We will explore the implementation of post-quantum cryptography (PQC) for digital signing workflows specifically, with a focus on NIST recommendations and FIPS-compliant algorithms (like ML-DSA and SLH-DSA), as well as recent industry advances. Then, we will discuss open-source solutions, highlight the contributions of open-source developers, and consider implementation challenges you may experience in this fast-evolving cryptographic landscape.

You will leave this talk with a solid understanding of the current state of PQC in open source, and the knowledge to implement the best solutions for your software signing needs.