OpenSSF Model Signing brings software supply chain security practices to machine learning by enabling cryptographic signing and verification of model files. Just as code signing verifies software hasn't been tampered with, model signing ensures that ML model artifacts — weights, configs, and metadata — are authentic and unmodified from their source. The project uses Sigstore's PKI infrastructure, allowing keyless signing through OIDC identity providers like GitHub, Google, and Microsoft, eliminating the complexity of managing cryptographic keys.
The project reached v1.0 in April 2025, establishing a production-ready toolchain for model integrity verification. The CLI tool and Python library support signing models stored locally, in cloud storage, or on model hubs, generating signatures that can be verified independently by anyone downloading the model. This creates a chain of trust from model publisher to model consumer, addressing the growing concern of model poisoning attacks where malicious actors distribute modified model files through public repositories.
OpenSSF Model Signing is developed under the OpenSSF AI/ML Working Group with contributions from Google, NVIDIA, and other industry leaders. It's fully open-source and designed to integrate into existing ML deployment pipelines, CI/CD systems, and model registries. For organizations consuming pre-trained models from external sources or distributing models to customers, model signing provides the cryptographic assurance of model authenticity that software supply chain security already provides for code.