Attack surface
HuggingFace hosts. Mirror could tamper. Air-gapped copy could mutate. Signatures detect all.
Advertisement
Sigstore
Open-source signing infra. Keyless (OIDC-based). Transparency log (Rekor). Adopted by HuggingFace.
Advertisement
Verify at deploy
CI/CD verifies model signature before deployment. Fail build on unsigned or mismatch.
Provenance metadata
Attestation: training procedure, dataset, code hash. Full chain from data to weights.