safetensors with model weight hashing
Project description
safemodels
Cryptographically-secure proof-of-concept for verifying the provenance of ML models.
This library is a thought experiment into what securing the supply chain of ML models could look like. It's built on top of safetensors. You should probably read the blog post for more context!
Installation
$ pip install safemodels
Usage
Hashing
from safemodels import safe_hash
from huggingface_hub import hf_hub_download as dl
st = dl("gpt2", filename="model.safetensors")
pt = dl("gpt2", filename="pytorch_model.bin")
assert safe_hash(st) == safe_hash(pt) == 'd6c60a3126ef088e5f8fdaa332da56d552da966a'
Signing
from safemodels import SafeModel
from huggingface_hub import hf_hub_download as dl
st = dl("gpt2", filename="model.safetensors")
sm = SafeModel.from_safetensor(st)
# or
st, sm = SafeModel.from_hf("gpt2", version="main")
sm.sign_safetensor(st) # backwards-compatible rewrite of file
Verification
>>> from safemodels import init, Issuer
>>> from huggingface_hub import hf_hub_download
>>>
>>> init(Issuer(identity="EleutherAI", issuer="https://auth.huggingface.com")
>>>
>>> hf_hub_download("EleuterAI/gpt-j-6B", filename="model.safetensors")
Downloading model.safetensors: 100%|███| 548M/548M [00:14<00:00, 39.2MB/s]
211it [00:00, 4785.46it/s]
Error: none of the expected identities matched what was in the certificate, got subjects [EleuterAI] with issuer https://auth.huggingface.com
Traceback (most recent call last):
...
safemodels.InvalidSignature: Loaded a safetensor with an invalid signature!
safetensor Metadata
from safemodels.utils.safetensors import extract_metadata, update_meta
from huggingface_hub import hf_hub_download as dl
st = dl("gpt2", filename="model.safetensors")
print(extract_metadata(st))
# {'format': 'pt'}
update_meta(st, {"hello": "world"})
print(extract_metadata(st))
# {'format': 'pt', 'hello': 'world'}
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
safemodels-0.2.0.tar.gz
(6.6 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file safemodels-0.2.0.tar.gz.
File metadata
- Download URL: safemodels-0.2.0.tar.gz
- Upload date:
- Size: 6.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.5.1 CPython/3.11.0 Darwin/22.1.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
67fef8be56dafc75e24b013b6c0d0a0e67265f7a300eaf30a13997cd777f52e9
|
|
| MD5 |
dc2c09042eadabad07441c40c042ac78
|
|
| BLAKE2b-256 |
02910aa05308a763e12543eec172ee982150c1b2c0d1de6e5fedea422399fd16
|
File details
Details for the file safemodels-0.2.0-py3-none-any.whl.
File metadata
- Download URL: safemodels-0.2.0-py3-none-any.whl
- Upload date:
- Size: 8.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.5.1 CPython/3.11.0 Darwin/22.1.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b9b6a313a9b00b9c7c77437f1be27edd1ac1eb6f9bb817eee8501349824b2d8
|
|
| MD5 |
8d98de782a426b2881b05c341b4fae30
|
|
| BLAKE2b-256 |
8041f31a10ec088a1a9f7d312551246440e839f0555a514910e0fb2883171813
|
