## **PoC** [model-signing](https://pypi.org/project/model-signing/) is the first stable version of the model signing library, using sigantures like those from Sigstore, users can verify a model was the exact same as the one created by the developers. ## **Details** This project demonstrates how to protect the integrity of a model by signing it. We support generating signatures via [Sigstore](https://www.sigstore.dev/), a tool for making code signatures transparent without requiring management of cryptographic key material. But we also support traditional signing methods, so models can be signed with public keys or signing certificates. The signing part creates a [sigstore bundle](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) protobuf that is stored as in JSON format. The bundle contains the verification material necessary to check the payload and a payload as a [DSSE envelope](https://github.com/sigstore/protobuf-specs/blob/main/protos/envelope.proto). Further the DSSE envelope contains an in-toto statment and the signature over that statement. The signature format and how the the signature is computed can be seen [here](https://github.com/secure-systems-lab/dsse/blob/v1.0.0/protocol.md). [paper](https://security.googleblog.com/2025/04/taming-wild-west-of-ml-practical-model.html)