In an increasingly interconnected digital ecosystem, the software supply chain has become a critical vulnerability point for organizations worldwide. The emergence of quantum computing, while revolutionary in its positive applications, poses an unprecedented threat to current cryptographic standards that secure this supply chain. Post-Quantum Cryptography (PQC) code-signing represents a crucial response to this challenge—a technological safeguard designed to protect software integrity against the computational power of quantum attacks.
As quantum computers advance from research laboratories to practical deployment, the urgency for quantum-resistant security measures has never been more pressing. Traditional code-signing certificates that rely on RSA and ECC algorithms are vulnerable to quantum attacks using Shor’s algorithm, potentially allowing attackers to forge signatures and compromise the entire software supply chain. This situation creates an immediate need for organizations to understand and implement PQC code-signing solutions.
This article examines how PQC code-signing works, its implementation challenges in software supply chains, and practical strategies for organizations preparing for the post-quantum era. From algorithm selection to integration with existing infrastructure, we’ll explore the complete landscape of this critical security technology and its real-world applications across industries.
The software supply chain encompasses all components, libraries, and processes involved in developing and distributing software. Traditional security measures rely heavily on cryptographic signatures to verify the authenticity and integrity of software components. However, the quantum computing revolution threatens to disrupt this security model fundamentally.
Quantum computers leverage quantum mechanical phenomena like superposition and entanglement to perform calculations that are practically impossible for classical computers. While general-purpose quantum computers with significant qubits are still developing, the threat they pose to cryptography is well-understood and immediate. This phenomenon is often referred to as “harvest now, decrypt later,” where adversaries collect encrypted data today with plans to decrypt it once quantum computing capabilities mature.
For software supply chains, the primary quantum threat comes from Shor’s algorithm, which can efficiently factorize large prime numbers and compute discrete logarithms. This capability effectively breaks RSA and ECC cryptography—the foundation of most current code-signing implementations. When applied to software supply chains, this vulnerability could allow attackers to:
Recent software supply chain attacks like SolarWinds have demonstrated the devastating potential of such compromises even without quantum computing in the equation. When quantum capabilities are added, the scale and impact of these threats increase exponentially. NIST estimates that quantum computers capable of breaking 2048-bit RSA encryption could be available within the next 10-15 years, creating an urgent timeline for transitioning to quantum-resistant alternatives.
Post-Quantum Cryptography refers to cryptographic algorithms believed to be secure against attacks from both quantum and classical computers. Unlike quantum key distribution (QKD), which requires specialized quantum hardware, PQC algorithms run on existing classical computers but are designed to resist quantum-based attacks. This makes PQC particularly suitable for code-signing applications in software supply chains.
The fundamental principle behind PQC is using mathematical problems that remain hard even for quantum computers. While Shor’s algorithm efficiently solves integer factorization and discrete logarithm problems, other mathematical challenges—such as finding the shortest vector in a lattice or decoding random linear codes—remain difficult even with quantum approaches.
Code-signing with PQC follows the same general workflow as traditional code-signing but substitutes quantum-vulnerable algorithms with quantum-resistant alternatives:
The primary difference lies in the cryptographic algorithms used and their implementation requirements, which often involve larger key sizes and different performance characteristics.
In 2022, after a six-year standardization process, NIST selected several PQC algorithms for standardization. For digital signatures, which are critical for code-signing, the primary selected algorithms include:
CRYSTALS-Dilithium: Based on lattice problems, Dilithium offers a balanced approach between key size, signature size, and performance. It’s considered the primary general-purpose signature scheme for most applications including code-signing. Dilithium provides security levels equivalent to AES-128, AES-192, and AES-256.
FALCON: Another lattice-based signature scheme that offers smaller signatures than Dilithium but with slightly more complex implementation requirements. FALCON is particularly valuable in bandwidth-constrained environments where signature size matters.
SPHINCS+: A stateless hash-based signature scheme that offers the highest security confidence among the selected algorithms because it relies only on the security of the underlying hash function. While SPHINCS+ has larger signatures and slower performance, it provides an important alternative with different security assumptions.
For code-signing applications specifically, CRYSTALS-Dilithium has emerged as the leading candidate due to its balance of security, performance, and implementation readiness. Several major certificate authorities and software platforms have already begun implementing Dilithium-based code-signing certificates in pilot programs.
PQC code-signing offers several significant advantages over traditional approaches in the context of software supply chains:
Future-proof security: The primary advantage is resistance to quantum attacks, ensuring that signed code remains verifiable and trustworthy even in a post-quantum computing environment. This long-term security is essential for software with extended lifecycles.
Algorithmic diversity: PQC introduces diversification of cryptographic assumptions, reducing the risk that a single mathematical breakthrough would compromise all security. This diversity creates a more robust security foundation.
Backward compatibility potential: Many PQC implementations are designed to work within existing public key infrastructure (PKI) frameworks, enabling hybrid approaches during transition periods. This allows organizations to implement quantum-resistant signatures alongside traditional ones.
Enhanced verification models: The transition to PQC provides an opportunity to implement modern verification approaches like keyless signing and transparent supply chain verification that go beyond simple cryptographic validation.
While PQC signatures typically require more computational resources than their classical counterparts, the security benefits far outweigh these costs, especially as implementation efficiencies improve over time.
Transitioning to PQC code-signing represents a significant undertaking for organizations that rely on software supply chains. A successful implementation requires a phased approach that addresses both technical and organizational challenges.
The first step involves conducting a comprehensive inventory of all current code-signing certificates, their usage patterns, and their integration points within development and deployment pipelines. This discovery phase helps identify where changes will be needed and allows for prioritization based on risk exposure and operational impact.
Once the current state is documented, organizations should develop a transition strategy that typically includes:
Leading organizations are already implementing pilot programs, particularly in critical infrastructure and long-lifecycle software environments where the risk of future quantum attacks is most significant.
Organizations implementing PQC code-signing face several significant challenges:
Performance impacts: PQC algorithms generally require more computational resources and larger key/signature sizes compared to classical algorithms. For example, CRYSTALS-Dilithium signatures are approximately 2.5KB compared to 256 bytes for ECDSA signatures. This size difference can affect storage, bandwidth, and processing requirements, particularly in constrained environments.
Solution: Implementing optimized algorithm implementations, signature caching, and progressive deployment starting with non-constrained environments can mitigate performance concerns. Hardware acceleration for PQC operations is also emerging as a solution.
Standardization and compatibility: With PQC standards still evolving, organizations risk implementing approaches that may become obsolete or incompatible with future standards.
Solution: Adopting a cryptographic agility framework that allows for algorithm substitution without major system redesign provides protection against changing standards. Following NIST’s standardization process closely and selecting algorithms with draft standards helps minimize compatibility risks.
Integration with existing PKI: Current certificate authorities and PKI systems are designed around classical cryptography assumptions that don’t always translate directly to PQC.
Solution: Hybrid certificates that contain both traditional and post-quantum signatures provide a bridge during the transition period. Working with certificate providers that are actively developing PQC offerings ensures smoother integration.
Development tool compatibility: Many development tools, signing utilities, and verification systems are hardcoded to work with specific classical algorithms.
Solution: Engaging with development tool vendors early and contributing to open-source projects that need PQC support can accelerate ecosystem readiness. Creating abstraction layers for cryptographic operations in custom tools also facilitates easier transitions.
Organizations can follow these best practices when implementing PQC code-signing in their software supply chains:
Start with risk assessment: Identify which software components face the greatest risk from quantum attacks based on lifecycle length, sensitivity, and deployment context. Prioritize these components for early PQC implementation.
Implement cryptographic agility: Design systems to support multiple signature algorithms simultaneously and to allow for algorithm replacement without major architectural changes. This approach, sometimes called “crypto agility,” is essential for navigating the evolving PQC landscape.
Deploy hybrid signatures: Use dual-signature approaches that apply both classical and post-quantum algorithms during the transition period. This maintains backward compatibility while adding quantum resistance.
Engage your ecosystem: Work with software vendors, certificate authorities, and technology partners to ensure they have PQC roadmaps aligned with your transition timeline. Industry coordination is crucial for successful implementation.
Develop expertise: Invest in training and resources to build internal PQC knowledge. Consider participating in standards bodies and industry working groups to stay at the forefront of developments.
Test thoroughly: Establish comprehensive testing regimes for PQC implementations, including performance benchmarking, compatibility testing across different environments, and security validation.
Organizations that adopt these practices position themselves not only for security in the quantum era but also for more resilient software supply chains overall.
Several organizations across different sectors have begun implementing PQC code-signing to secure their software supply chains:
Financial Services Leader: A global banking institution with stringent security requirements implemented PQC code-signing for their financial transaction processing software. They adopted a hybrid approach using both ECDSA and CRYSTALS-Dilithium signatures, integrating these dual signatures into their CI/CD pipeline. This implementation required modifications to their verification infrastructure but resulted in quantum-resistant software deployment with minimal operational disruption.
Critical Infrastructure Provider: An energy grid management software provider implemented SPHINCS+ signatures for their control systems software. Despite the larger signature size, they prioritized the high security assurance of hash-based signatures for these critical systems with 20+ year lifecycles. They developed custom verification modules for edge devices with limited processing capabilities, demonstrating that PQC can be implemented even in constrained environments with appropriate optimization.
Open Source Security Initiative: A major open-source project implemented transparent PQC signing for all package releases. They created a hybrid signature system using both traditional and post-quantum algorithms, published all verification keys through a transparent certificate framework, and provided developer tools for signature verification. This implementation has become a reference model for other open-source projects transitioning to quantum-resistant supply chains.
Automotive Firmware Security: A vehicle manufacturer implemented PQC code-signing for their over-the-air update system to ensure that vehicles produced today would remain secure throughout their operational lifetime, even as quantum computing advances. They selected Dilithium for its performance characteristics and created a custom signature verification module optimized for their embedded systems environment.
These case studies demonstrate that despite implementation challenges, organizations across sectors are successfully deploying PQC code-signing as part of their quantum readiness strategies. The diversity of approaches reflects the varying requirements and constraints across different industries, but the common thread is a recognition of the need to begin transitioning now rather than waiting for quantum computers to become a more immediate threat.
As PQC code-signing matures and becomes more widely implemented, several emerging trends will shape the future of quantum-resistant software supply chains:
Standardized PQC infrastructures: Industry-wide standards for PQC integration into software supply chains are developing rapidly. These standards will encompass not just the cryptographic algorithms themselves but also implementation practices, certificate formats, and verification protocols. The work being done by organizations like NIST, IETF, and the Cloud Security Alliance will eventually produce comprehensive frameworks that organizations can adopt with confidence.
Automated PQC compliance verification: As regulatory requirements around quantum readiness emerge, automated tools for verifying PQC compliance throughout the software supply chain will become essential. These tools will verify that all components in a software package are signed with quantum-resistant algorithms and that the verification infrastructure properly validates these signatures.
Integration with software bills of materials (SBOMs): PQC signatures will increasingly be tied to software bills of materials, creating cryptographically verifiable records of all components in a software package. This integration will allow organizations to verify not just the authenticity of software but also its composition and security properties in a quantum-resistant manner.
Hardware-accelerated PQC: To address performance challenges, hardware acceleration for PQC operations will become common in processors, HSMs, and specialized security devices. These hardware capabilities will mitigate the computational overhead of quantum-resistant algorithms, making them practical for a wider range of applications.
Zero-trust software supply chains: PQC will be a foundational element of zero-trust approaches to software supply chains, where continuous verification and minimal trust assumptions replace traditional perimeter-based security models. In these environments, quantum-resistant signatures will be verified at multiple points throughout the software lifecycle, from development through deployment and runtime.
Organizations that recognize these trends and position themselves accordingly will be better prepared not just for quantum threats but for the evolving security landscape more broadly. PQC code-signing represents not just a defensive measure against quantum computing but an opportunity to build more secure, transparent, and verifiable software supply chains.
As the World Quantum Summit 2025 will demonstrate through its practical workshops and case studies, quantum-resistant technologies like PQC are no longer theoretical propositions but practical necessities that forward-thinking organizations are implementing today. The transition to quantum-resistant software supply chains represents one of the most significant security shifts of the coming decade, with implications for virtually every organization that develops, distributes, or relies on software.
PQC code-signing represents a critical evolution in software supply chain security as the world transitions into the quantum computing era. While quantum computers capable of breaking current cryptographic standards may still be years away, the long lifetime of many software systems and the “harvest now, decrypt later” threat model create an immediate need for quantum-resistant approaches.
Organizations that begin implementing PQC code-signing today will not only protect themselves against future quantum threats but will also benefit from improved cryptographic agility, more robust verification processes, and greater supply chain transparency. The transition presents challenges—from performance considerations to ecosystem readiness—but these are surmountable with proper planning and phased implementation.
As NIST-standardized algorithms like CRYSTALS-Dilithium move from draft standards to widespread implementation, the tools and infrastructure for PQC code-signing will continue to mature. Organizations that participate in this evolution position themselves at the forefront of security innovation while ensuring their software supply chains remain trustworthy in a post-quantum world.
The security of our digital infrastructure depends on successfully navigating this cryptographic transition. By understanding the principles, challenges, and implementation approaches for PQC code-signing, security leaders can make informed decisions that will protect their software supply chains for decades to come—regardless of how quickly quantum computing advances.
Discover more about quantum-resistant technologies and their practical applications at the World Quantum Summit 2025. Join global leaders, researchers, and innovators in Singapore on September 23-25, 2025, to explore how quantum technologies are transitioning from theory to real-world implementation.
Learn more about the summit | Explore sponsorship opportunities | Visit our website
[wpforms id=”1803″]
World Quantum Summit 2025
Sheraton Towers Singapore
39 Scotts Road, Singapore 228230
23rd - 25th September 2025
