This seems like a solution looking for a problem. Can't you just share your model's hash when releasing it? This is exactly what happens when someone like Mistral share a magnet link to their model. It's just a hash.
This seems like a solution looking for a problem. Can't you just share your model's hash when releasing it? This is exactly what happens when someone like Mistral share a magnet link to their model. It's just a hash.
That’s exactly what this is:
> Finally, the statement itself contains subjects which are a list of (file path, digest) pairs a predicate type set to https://model_signing/signature/v1.0 and a dictionary of predicates. The idea is to use the predicates to store (and therefor sign) model card information in the future. The verification part reads the sigstore bundle file and firstly verifies that the signature is valid and secondly compute the model's file hashes again to compare against the signed ones.
It’s important to remember that these models tend to be released as multiple files so a single hash is insufficient (unless you do a hash of hashes).
There is established precedent for open source projects who have a need to authenticate multiple bundled files within a release: a xxxxSUMS file followed by a detached GPG signature file.
For example, Ubuntu does it like this:
- The SHA256SUMS file which lists the hashes of each ISO, manifest, netboot, etc. file: https://releases.ubuntu.com/24.04.2/SHA256SUMS. This can be verified on any Linux system with the standard hashing utilities installed, but by itself not sufficient to protect file integrity.
- The SHA256SUMS.gpg file which contains a detached GPG/PGP signature of the SHA256SUMS file: https://releases.ubuntu.com/24.04.2/SHA256SUMS.gpg. The signature is tied to a particular GPG key ID (in this case, that key ID is 843938DF228D22F7B3742BC0D94AA3F0EFE21092). If the SHA256SUMS file's detached signature is correct and comes from the correct key ID, you've verified that the files weren't modified in transit or by a mirror.
This scheme only protects a one-level directory (which is enough for many open-source projects). If you have nested directories, it's time to distribute the model as an archive (in which case you just sign the archive).
Or just make a torrent file.