Attack surface

HuggingFace hosts. Mirror could tamper. Air-gapped copy could mutate. Signatures detect all.

Advertisement

Sigstore

Open-source signing infra. Keyless (OIDC-based). Transparency log (Rekor). Adopted by HuggingFace.

Advertisement

Verify at deploy

CI/CD verifies model signature before deployment. Fail build on unsigned or mismatch.

Provenance metadata

Attestation: training procedure, dataset, code hash. Full chain from data to weights.