Add ML-DSA support to GCPSigner

jku · jku · commit 813c38ccbffa · 2026-05-12T19:08:30.000+03:00
Signed-off-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;
diff --git a/securesystemslib/signer/_gcp_signer.py b/securesystemslib/signer/_gcp_signer.py
@@ -59,6 +59,18 @@
             "rsa",
             "rsa-pkcs1v15-sha512",
         ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.PQ_SIGN_ML_DSA_44: (
+            "ml-dsa",
+            "ml-dsa-44/1",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.PQ_SIGN_ML_DSA_65: (
+            "ml-dsa",
+            "ml-dsa-65/1",
+        ),
+        CryptoKeyVersion.CryptoKeyVersionAlgorithm.PQ_SIGN_ML_DSA_87: (
+            "ml-dsa",
+            "ml-dsa-87/1",
+        ),
     }
 except ImportError:
     GCP_IMPORT_ERROR = (
@@ -176,10 +188,16 @@ def sign(self, payload: bytes) -> Signature:
         # NOTE: request and response can contain CRC32C of the digest/sig:
         # Verifying could be useful but would require another dependency...
 
-        hasher = hashlib.new(self.hash_algorithm)
-        hasher.update(payload)
-        digest = {self.hash_algorithm: hasher.digest()}
-        request = {"name": self.gcp_keyid, "digest": digest}
+        if self.public_key.keytype == "ml-dsa":
+            hasher = hashlib.new("sha512")
+            hasher.update(payload)
+            pre_signing_string = b"tuf" + bytes([1]) + hasher.digest()
+            request = {"name": self.gcp_keyid, "data": pre_signing_string}
+        else:
+            hasher = hashlib.new(self.hash_algorithm)
+            hasher.update(payload)
+            digest = {self.hash_algorithm: hasher.digest()}
+            request = {"name": self.gcp_keyid, "digest": digest}
 
         logger.debug("signing request %s", request)
         response = self.client.asymmetric_sign(request)
diff --git a/securesystemslib/signer/_key.py b/securesystemslib/signer/_key.py
@@ -252,7 +252,12 @@ def get_hash_algorithm_name(self) -> str:
         ]:
             return f"sha{self.scheme[-3:]}"
 
-        elif self.scheme == "ecdsa-sha2-nistp521":
+        elif self.scheme in [
+            "ecdsa-sha2-nistp521",
+            "ml-dsa-44/1",
+            "ml-dsa-65/1",
+            "ml-dsa-87/1",
+        ]:
             return "sha512"
 
         raise ValueError(f"method not supported for scheme {self.scheme}")
