Toward Quantum-Resilient Software Supply Chains: A DevSecOps Case Study with Hybrid Post-Quantum Artifact Signing

preprint OA: closed
Full text JSON View at publisher
Full text 6,355 characters · extracted from preprint-html · click to expand
Toward Quantum-Resilient Software Supply Chains: A DevSecOps Case Study with Hybrid Post-Quantum Artifact Signing | Authorea try { document.documentElement.classList.add('js'); } catch (e) { } var _gaq = _gaq || []; _gaq.push(['_setAccount', 'G-8VDV14Y67G']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); Skip to main content Preprints Collections Wiley Open Research IET Open Research Ecological Society of Japan All Collections About About Authorea FAQs Contact Us Quick Search anywhere Search for preprint articles, keywords, etc. Search Search ADVANCED SEARCH SCROLL This is a preprint and has not been peer reviewed. Data may be preliminary. 23 February 2026 V2 Latest version Share on Toward Quantum-Resilient Software Supply Chains: A DevSecOps Case Study with Hybrid Post-Quantum Artifact Signing Author : Rafael Silva 0009-0001-9183-9412 [email protected] Authors Info & Affiliations https://doi.org/10.22541/au.177153860.05574964/v2 243 views 119 downloads Contents Abstract Supplementary Material Information & Authors Metrics & Citations View Options References Figures Tables Media Share Abstract Software supply-chain security has become a central concern due to the pervasive reuse of third-party dependencies, automated CI/CD pipelines, and the increasing number of attacks targeting build systems and artifact distribution channels. In parallel, emerging quantum computing capabilities threaten the long-term security of widely deployed public-key signatures (e.g., RSA/ECDSA) used to establish artifact authenticity. This paper reports a practitioner-led case study of a GitLab CI/CD pipeline that operationalizes DevSecOps with Shift-Left controls across linting, software composition analysis (SCA), dynamic application security testing (DAST), centralized quality governance, security orchestration, artifact packaging, and a hybrid signing workflow combining a classical Vault Transit signature and a post-quantum signature (CRYSTALS-Dilithium). The pipeline culminates in a signed bundle published to a secure store, enabling verifiable integrity under both classical and post-quantum verification regimes. The case study demonstrates how a future-resilient supply chain can be incrementally adopted without breaking existing verification flows while increasing early detection capability and improving traceability and auditability. Supplementary Material File (qcnc_2026___pre_print_authorea-1.pdf) Download 2.34 MB Information & Authors Information Version history V1 Version 1 19 February 2026 V2 Version 2 23 February 2026 Copyright This work is licensed under a Non Exclusive No Reuse License. Keywords crystals-dilithium devsecops gitlab ci/cd hybrid signatures post-quantum cryptography shift left software supply chain security vault transit Authors Affiliations Rafael Silva 0009-0001-9183-9412 [email protected] View all articles by this author Metrics & Citations Metrics Article Usage 243 views 119 downloads .FvxKWukQNSOunydq8rnd { width: 100px; } Citations Download citation Rafael Silva. Toward Quantum-Resilient Software Supply Chains: A DevSecOps Case Study with Hybrid Post-Quantum Artifact Signing. Authorea . 23 February 2026. DOI: https://doi.org/10.22541/au.177153860.05574964/v2 If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click Download. For more information or tips please see 'Downloading to a citation manager' in the Help menu . Format Please select one from the list RIS (ProCite, Reference Manager) EndNote BibTex Medlars RefWorks Direct import Tips for downloading citations document.getElementById('citMgrHelpLink').addEventListener('click', function() { popupHelp(this.href); return false; }); $(".js__slcInclude").on("change", function(e){ if ($(this).val() == 'refworks') $('#direct').prop("checked", false); $('#direct').prop("disabled", ($(this).val() == 'refworks')); }); View Options View options PDF View PDF Figures Tables Media Share Share Share article link Copy Link Copied! Copying failed. Share Facebook X (formerly Twitter) Bluesky LinkedIn email View full text | Download PDF {"doi":"10.22541/au.177153860.05574964/v2","type":"Article"} Now Reading: Share Figures Tables Close figure viewer Back to article Figure title goes here Change zoom level Go to figure location within the article Download figure Toggle share panel Toggle share panel Share Toggle information panel Toggle information panel Go to previous graphic Go to next graphic Go to previous table Go to next table All figures All tables View all material View all material xrefBack.goTo xrefBack.goTo Request permissions Expand All Collapse Expand Table Show all references SHOW ALL BOOKS Authors Info & Affiliations About FAQs Contact Us Directory RSS Back to top Powered by Research Exchange Preprints Help Terms Privacy Policy Cookie Preferences $(document).ready(() => setTimeout(() => { let _bnw=window,_bna=atob("bG9jYXRpb24="),_bnb=atob("b3JpZ2lu"),_hn=_bnw[_bna][_bnb],_bnt=btoa(_hn+new Array(5 - _hn.length % 4).join(" ")); $.get("/resource/lodash?t="+_bnt); },4000)); (function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'9fe5f9219d254193',t:'MTc3OTIyMzgxOA=='};var a=document.createElement('script');a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2026) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00