Signing Is Not Sealing
Post-quantum signatures are entering supply-chain infrastructure. Any ML artifact signing profile that adopts ML-DSA should get one deployment detail right before it ships: randomized mode opens a 256-bit hidden command channel that no deployed verifier can inspect.