Sign in Subscribe

The Model Notary: Architecting Secure AI Supply Chains with Sigstore and Cosign

Protect your AI infrastructure from model poisoning. Learn how to implement Sigstore and Cosign to sign, verify, and secure your machine learning pipelines.

The Model Notary: Architecting Secure AI Supply Chains with Sigstore and Cosign
Photo by Mauro Sbicego on Unsplash

We are currently witnessing the industrial revolution of Artificial Intelligence. Organizations are rushing to integrate Large Language Models (LLMs) and predictive analytics into their core products. However, in this rush to deploy, a critical vulnerability is often overlooked: the provenance and integrity of the models themselves.

Consider this: you wouldn't deploy a binary executable into your production banking environment without verifying its digital signature. Yet, every day, data science teams download gigabytes of opaque model weights—often serialized Python objects—from public repositories like Hugging Face and deploy them directly into inference clusters. This is the AI Supply Chain, and right now, it is dangerously fragile.

At Nohatek, we believe that security cannot be an afterthought in MLOps. Just as a notary validates the authenticity of a legal contract, we need a mechanism to validate the authenticity of our AI models. Enter Sigstore and Cosign. In this post, we will explore how these open-source tools act as the 'Model Notary,' allowing you to architect a zero-trust environment for your machine learning assets.

Securing the Supply Chain with SLSA - Matthew Suozzo | PackagingCon 2021 - PackagingCon

The Invisible Threat: Model Poisoning and Serialization Attacks

Danger mines sign in a dark alley.
Photo by Red Shuheart on Unsplash

Before we discuss the solution, we must understand the specific threat vector we are addressing. Unlike standard software supply chains, where the risk lies in malicious source code or compromised dependencies, AI supply chains deal with artifacts.

The most common format for saving machine learning models in Python is pickle. While convenient, the pickle module is notoriously insecure. It is essentially a remote code execution (RCE) engine by design. If an attacker can inject malicious bytecode into a model file (a technique known as Model Poisoning) or swap a legitimate model for a compromised one during the transfer from development to production, the consequences are severe.

The risk isn't just about the model giving wrong answers; it's about the model hijacking the infrastructure that runs it.

Without a cryptographic chain of custody, you cannot answer three fundamental questions:

  • Who created this model?
  • When was it created?
  • Has it been altered since it was trained?

In a professional DevSecOps environment, 'trusting' the file system is not a strategy. We need cryptographic proof.

Meet the Notary: Sigstore and Cosign Explained

a close up of a computer and wires in a dark room
Photo by Vitaly Sacred on Unsplash

The Linux Foundation’s Sigstore project has emerged as the standard for software signing. It aims to make code signing as easy and ubiquitous as obtaining a TLS certificate via Let's Encrypt. Within the Sigstore ecosystem, Cosign is the tool specifically designed to sign containers and binary blobs.

Traditionally, managing GPG keys for signing was a logistical nightmare. Developers would lose private keys, or worse, accidentally commit them to public repositories. Sigstore solves this through Keyless Signing (using OpenID Connect) and a transparency log called Rekor.

Here is how the 'Model Notary' workflow functions:

  1. Identity Verification: The data scientist or CI/CD pipeline authenticates via an OIDC provider (like Google, GitHub, or Microsoft).
  2. Signing: Cosign generates a short-lived certificate based on that identity to sign the model artifact.
  3. Transparency: The signature and the certificate are logged in Rekor, an immutable public ledger.
  4. Verification: The inference server checks the signature against the Rekor log to verify the model matches the signed artifact and was created by a trusted identity.

This shifts the security paradigm from managing secrets (keys) to managing identities, which is far more scalable for enterprise environments.

Practical Implementation: Signing Your First Model

person writing on white paper
Photo by Slidebean on Unsplash

Let’s look at a practical example of how to implement this in a standard MLOps workflow. We will treat a trained model (`model.pt`) as a binary blob.

First, ensure you have Cosign installed. Then, you can generate a key pair (for a private setup) or use the keyless mode. For this example, we will use a generated key pair to keep it self-contained.

# 1. Generate a key pair
cosign generate-key-pair

# Output:
# Private key written to cosign.key
# Public key written to cosign.pub

Once you have your keys, the 'Notarization' process involves signing the model file.

# 2. Sign the model blob
cosign sign-blob --key cosign.key model.pt > model.pt.sig

Now, imagine this model travels through your pipeline—uploaded to S3, downloaded by a testing server, and finally pulled by a production Kubernetes cluster. Before that cluster loads the model into memory, it performs a verification check:

# 3. Verify the signature
cosign verify-blob --key cosign.pub --signature model.pt.sig model.pt

If the model.pt file has been altered by even a single byte—due to corruption or a man-in-the-middle attack—the verification will fail, and your application should refuse to load it.

Advanced Strategy: OCI Artifacts
In modern cloud-native environments, we recommend packaging models as OCI (Open Container Initiative) artifacts. This allows you to store models in the same container registry (like Docker Hub, ACR, or ECR) as your application code. Cosign natively supports signing these OCI images, allowing you to use Kubernetes admission controllers (like Kyverno or Gatekeeper) to automatically reject any unsigned pods.

The Strategic Edge: Compliance and Trust

a wooden block that says trust, surrounded by blue flowers
Photo by Alex Shute on Unsplash

Implementing Sigstore and Cosign isn't just a technical exercise; it is a strategic business decision. With regulations like the EU AI Act and the US Executive Order 14028 on Improving the Nation's Cybersecurity, the requirements for Software Bill of Materials (SBOM) and provenance are trickling down to AI models.

By architecting a secure supply chain now, you position your organization to:

  • Mitigate Risk: Drastically reduce the surface area for supply chain attacks.
  • Ensure Compliance: Create an audit trail that proves exactly which version of a model was running in production at any given time.
  • Build Trust: For companies providing AI services, being able to cryptographically prove the integrity of your models is a significant competitive differentiator.

The era of 'move fast and break things' is ending for AI. The new era is 'move fast with stable infrastructure.'

The 'Model Notary' concept is essential for maturing your AI operations. By leveraging Sigstore and Cosign, you transform your models from trusted files into verifiable assets. You gain visibility, security, and peace of mind knowing that the intelligence driving your business is authentic and unaltered.

At Nohatek, we specialize in building resilient, secure cloud architectures for high-stakes AI implementations. Whether you are looking to secure an existing MLOps pipeline or build a new one from the ground up, our team is ready to help you navigate the complexities of the modern AI supply chain.

Ready to secure your AI infrastructure? Contact us today to discuss your architecture.