In his article published via the Red Hat Developer Community Jakub Jelen explains the process of signing RPM packages in Red Hat Enterprise Linux, RHEL 10.1 using cryptographic keys resistant to quantum computers yet to be developed in the near future. This is for developers and vendors interested in protecting their software with stronger signatures or achieving compliance.
In the article the author said: “Post-quantum cryptography (PQC) is a common name for a set of algorithms believed to withstand the attacks of quantum computers when they will have enough computational power to break or weaken existing traditional cryptography algorithms used these days. They can be split into two groups: one used for key agreement, which is relevant to the online protocols like TLS; and the other used for signatures relevant to provide authenticity. […]
The signature algorithms group is especially relevant for software signatures made today, but we expect users to verify and trust them in 10 years, especially in IoT, embedded or enterprise systems, that are either not updated frequently or require long-term stability.[…]
Red Hat ships the digitally signed software, which provides authenticity and integrity for the installed packages. For this use case, a private key signs the packages, and the system distributes a public key to the systems that install the software. This allows the user’s machine to verify the software comes from Red Hat. […]
For signing software with PQC algorithms, we are using Sequoia-PGP tools, the same used internally by RPM to verify the signatures. […]”
Origin of text and read the full text at https://developers.redhat.com/articles/2025/10/07/signing-rpm-packages-using-quantum-resistant-cryptography