Understanding Model Signing and Verification
Cosign is a powerful tool that simplifies the signing and verification process for various digital artifacts, including container images. Its capabilities extend to securely signing and verifying large language models (LLMs), ensuring the integrity and authenticity of the models being used.
Model signing provides several key benefits:
Trust and Authenticity: Verify that models come from trusted sources Integrity Verification: Confirm models haven’t been tampered with Supply Chain Security: Ensure the security of the entire model delivery pipeline Compliance: Meet regulatory requirements for model provenance By signing LLMs, Cosign provides a robust layer of trust, allowing developers and users to confidently deploy and utilize these models in production environments.
Installing Cosign
1
2
3
4
5
6
7
wget "https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64"
mv cosign-linux-amd64 /usr/local/bin/cosign
chmod +x /usr/local/bin/cosign
cosign version
mkdir model-signing
cd model-signing
In this step, we will learn how to:
1) Generate cryptographic keys for signing 2) Download a machine learning model 3) Sign the model using Cosign 4) Verify the signature to ensure the model’s integrity
Generating Key Pairs
First, we need to generate a cryptographic key pair that will be used for signing and verification:
1
cosign generate-key-pair
You will be prompted to enter a password for the private key. For this exercise, we will use pdso-admin as the password:
1
2
3
4
Enter password for private key:
Enter password for private key again:
Private key written to cosign.key
Public key written to cosign.pub
Downloading a Model
1
wget https://huggingface.co/bert-base-uncased/resolve/main/pytorch_model.bin
Signing the Model
1
cosign sign-blob --key cosign.key pytorch_model.bin > model.sig
The above signing process:
1) Computes a cryptographic hash of the model file 2) Signs this hash with your private key 3) Stores the signature in the model.sig file 4) Records the signature in a public transparency log (if you consent)
Verifying the Model Signature
1
cosign verify-blob --key cosign.pub --signature model.sig pytorch_model.bin
Creating a Verification Script
For production use cases, you might want to automatically verify models before using them. Let’s create a simple script that demonstrates how verification could be integrated into a model loading pipeline:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
cat > verify_model.sh<<EOF
#!/bin/bash
MODEL_FILE=\$1
SIG_FILE=\$2
KEY_FILE=\$3
if [ ! -f "\$MODEL_FILE" ] || [ ! -f "\$SIG_FILE" ] || [ ! -f "\$KEY_FILE" ]; then
echo "Usage: \$0 <model_file> <signature_file> <public_key_file>"
exit 1
fi
echo "Verifying model integrity..."
if cosign verify-blob --key "\$KEY_FILE" --signature "\$SIG_FILE" "\$MODEL_FILE"; then
echo "✅ Model verified successfully!"
echo "Safe to use this model for inference"
exit 0
else
echo "❌ Model verification failed!"
echo "DO NOT use this model - it may have been tampered with"
exit 1
fi
EOF
chmod +x verify_model.sh
./verify_model.sh pytorch_model.bin model.sig cosign.pub