OpenSSF Model Signing (OMS)
OpenSSF Model Signing (OMS)
Model Signing aims to provide a library and CLI for signing and verification of ML models, supporting any type of model format and models of any size. Furthermore, the project supports several types of Private Key Infrastructure (PKI), such as signing with sigstore, self-signed certificates, or public/private key pairs while maintaining the same hashing scheme and signature format (as a sigstore bundle).
Signing ML artifacts is an essential step in ensuring the integrity of the ML supply chain. This is specifically important given that, in general, the team that trains a foundation model is not the same as the team that deploys the model into production, especially with mass-proliferation of pretrained models.
Preventing model supply chain compromises via model signatures involves signing the models during the training process and checking these signatures each time the model is used. This includes verification when the model gets uploaded to a model hub, when the model is selected to be deployed into an application, and when the model is used as input for another model.
