Open source · Apache-2.0 · PyPI

AURE Provenance

Cryptographic proof that a given output came from your model, your weights, and your data pipeline — not an imposter. Powered by the ModelSign engine.

Ed25519
Signature Algorithm
95
Artifacts Signed
406/mo
PyPI Installs
v1.0.1
Current Release

What It Does

Four layers of cryptographic verification across the AI model lifecycle.

Model Artifact Signing

Every model file — weights, config, tokenizer, ONNX export — gets an Ed25519 signature. Tamper with one byte and verification fails. No blind trust.

Runtime Trace Verification

Sign not just the model, but the inference pipeline. Verify that the output you received came from the exact model version, weights, and configuration you expected.

Independent Audit

Anyone can verify a signed model without contacting us. The public key, the signature, and the verification tool are all open. No vendor lock-in on trust.

Supply Chain Integrity

From training to deployment, every artifact in the chain is signed. If a model is swapped, corrupted, or tampered with at any point, verification catches it.

Quick Start

Three commands. Sign a model, verify it, done.

Install

pip install modelsign

Sign a model

# Generate a signing key
modelsign keygen --out my_key

# Sign your model directory
modelsign sign --key my_key.private --model ./my-model/

Verify

# Anyone can verify with the public key
modelsign verify --key my_key.public --model ./my-model/

How It Works

1

Hash

Every file in the model directory is hashed. File paths and contents are canonicalized using RFC 8785 to ensure deterministic ordering across platforms.

2

Sign

The canonical manifest is signed with your Ed25519 private key. The signature covers every file — weights, config, tokenizer, metadata. One tampered byte breaks it.

3

Verify

Anyone with the public key can verify the signature against the model directory. No API calls, no vendor dependency, no trust required — just math.

A Note on Naming

The ModelSign engine is an in-house component of the Constant and AURE stack, designed and implemented by Constant Systems. It is distinct from the OpenSSF model-signing reference package on PyPI, which focuses on Sigstore-based signing of ML model artifacts. We integrate with that ecosystem where appropriate, but ModelSign is our own authored implementation using Ed25519 and RFC 8785 canonical JSON. Our package is published as modelsign on PyPI under Apache-2.0.

Start signing your models

Three commands to verifiable AI. Open source, no vendor lock-in, no trust required.

Browse ModelsEnterprise Integration