Sign AI models with identity. Verify anywhere.
Project description
modelsign
Sign AI models with identity. Verify anywhere.
modelsign cryptographically binds model files to a signed identity card -- who made this model, what it's based on, what it claims to be. Ed25519 signatures, zero ML dependencies, works with any model format.
Install
pip install modelsign
Quick Start
# Generate your signing key
modelsign keygen
# Sign a model with a name
modelsign sign model.safetensors --name "My-Llama-8B-v1"
# Verify it
modelsign verify model.safetensors
# Inspect the identity card
modelsign inspect model.safetensors.sig
Rich Identity Cards
Sign with full provenance:
# Create an identity card
cat > card.json << 'EOF'
{
"name": "Llama-3.1-8B-Chat-QJ",
"architecture": "LlamaForCausalLM",
"base_model": "meta-llama/Llama-3.1-8B-Instruct",
"version": "1.0.0",
"creator": "ConstantQJ",
"license": "Llama 3.1 Community",
"intended_use": "Chat assistant",
"training": {
"dataset": "custom-chat-v2",
"epochs": 3,
"hardware": "DGX Spark GB10"
},
"eval_metrics": {
"mmlu": 0.68,
"humaneval": 0.53
}
}
EOF
modelsign sign model.safetensors --identity card.json
Python SDK
from modelsign import (
ModelCard, validate_card, canonical_json,
generate_keypair, load_private_key, load_public_key,
sign_bytes, build_file_message, verify_bytes,
hash_file, SigFile, write_sig, read_sig,
)
What It Protects Against
- Post-signing tampering of model weights
- Substitution of one model for another
- Metadata swap (changing identity claims invalidates signature)
What It Does NOT Cover
- Key compromise (your key, your responsibility)
- Model safety, fairness, or legal compliance
- Cryptographic timestamping (timestamps are metadata, not proofs)
How It Compares
| modelsign | OpenSSF Model Signing (OMS) | |
|---|---|---|
| Focus | Simple signing + rich identity | Supply-chain integrity via Sigstore |
| Identity card | Embedded (architecture, training, eval metrics) | Minimal (being expanded) |
| Setup | pip install modelsign |
Sigstore toolchain + transparency log |
| Signing | Offline, Ed25519, one command | Keyless via OIDC + Rekor transparency |
| Best for | Individual fine-tunes, HF uploads, quick sharing | Enterprise supply-chain, NGC publishing |
| Network required | No | Yes (Sigstore/Rekor) |
modelsign and OMS are complementary. Use modelsign for fast, offline, identity-rich signing. Use OMS when you need transparency logs and keyless verification at enterprise scale.
Identity Card Schema
| Field | Required | Description |
|---|---|---|
name |
Yes | Model name |
architecture |
No | Model class (e.g., LlamaForCausalLM) |
base_model |
No | Parent model name/path |
parent_signature |
No | Hash of parent's .sig (provenance chain) |
version |
No | Semantic version |
creator |
No | Person or organization |
license |
No | SPDX identifier or name |
intended_use |
No | What the model is for |
restrictions |
No | What it should NOT be used for |
training |
No | {dataset, dataset_hash, epochs, hardware} |
quantization |
No | Method (e.g., GPTQ-4bit) |
eval_metrics |
No | Benchmark results ({mmlu: 0.68}) |
extra |
No | Any additional metadata |
License
Apache 2.0 — QJ / ConstantOne (CIP1 LLC)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file modelsign-1.0.3.tar.gz.
File metadata
- Download URL: modelsign-1.0.3.tar.gz
- Upload date:
- Size: 26.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a7452f4c3318942df65bac32d6af5ce7c9b755eef2c9877978287f9c06aa93ef
|
|
| MD5 |
a2468b7080289b413692653dc360852d
|
|
| BLAKE2b-256 |
50255296adc488ae6d9f4e991153372717307cdd2379d15b712319eab2dbe620
|
File details
Details for the file modelsign-1.0.3-py3-none-any.whl.
File metadata
- Download URL: modelsign-1.0.3-py3-none-any.whl
- Upload date:
- Size: 21.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1e38e992b217fa059d4ef82b7306c695120217bf9838525c66d2735afcd8b24e
|
|
| MD5 |
b76b7cfff728b680f6015d9cf846893c
|
|
| BLAKE2b-256 |
341db9e7ea8dece7225365bf4a281743341cb28fa60ecbb20f233274cc04361a
|
