Code Signing: Dual‑Sign Rollout (ML‑DSA + Current)

CI/CD Steps

1. Generate ML‑DSA keys; keep current keys. Store ML‑DSA sealed (KMS/HSM where possible).
2. Sign artifacts with both schemes; attach metadata to manifest.
3. Verify both signatures in CI; fail build if either path fails.
4. Emit posture JSON: sizes, verify times, algorithm versions.

Consumer

Update verifiers to accept both signatures; warn (don’t fail) if PQ verification unavailable during transition.