modelsign 1.0.0__tar.gz

modelsign-1.0.0/.github/workflows/ci.yml

@@ -0,0 +1,51 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.9", "3.11", "3.12", "3.13"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Run tests
+        run: pytest tests/ -v --tb=short
+
+  publish:
+    needs: test
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install build tools
+        run: pip install build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

modelsign-1.0.0/.gitignore

@@ -0,0 +1,6 @@
+__pycache__/
+*.egg-info/
+dist/
+build/
+.mypy_cache/
+*.pyc

modelsign-1.0.0/CHANGELOG.md

@@ -0,0 +1,18 @@
+# Changelog
+
+## v1.0.0 (2026-03-25)
+
+Initial release.
+
+### Features
+
+- **Ed25519 model signing** with domain-prefixed messages (`modelsign-v1:`)
+- **Model Identity Card** — structured, signed metadata (architecture, base model, training, eval metrics, provenance)
+- **RFC 8785 canonical JSON** for deterministic, cross-platform signature verification
+- **Streaming SHA-256** for large model files (1MB chunks, no full-file memory load)
+- **Directory support** — sign multi-file models with recursive manifests
+- **TOFU keyring** — trust-on-first-use with persistent trusted key store
+- **CLI commands**: `sign`, `verify`, `inspect`, `keygen`, `keyring`, `version`
+- **Python SDK** — all modules independently importable
+- **Response signing middleware** (optional) for API endpoint authenticity
+- **Version migration policy** — forward-compatible .sig format with semver checks

modelsign-1.0.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 QJ / ConstantOne (CIP1 LLC)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

modelsign-1.0.0/PKG-INFO

@@ -0,0 +1,147 @@
+Metadata-Version: 2.4
+Name: modelsign
+Version: 1.0.0
+Summary: Sign AI models with identity. Verify anywhere.
+Author-email: QJ <qj@constantone.ai>
+License: MIT
+Project-URL: Homepage, https://github.com/ConstantQJ/modelsign
+Project-URL: Issues, https://github.com/ConstantQJ/modelsign/issues
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography>=41.0
+Requires-Dist: click>=8.0
+Requires-Dist: rfc8785>=0.1.2
+Provides-Extra: middleware
+Requires-Dist: fastapi>=0.100; extra == "middleware"
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: mypy; extra == "dev"
+Dynamic: license-file
+
+# modelsign
+
+[![CI](https://github.com/QuantQJ/modelsign/actions/workflows/ci.yml/badge.svg)](https://github.com/QuantQJ/modelsign/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)
+
+Sign AI models with identity. Verify anywhere.
+
+`modelsign` cryptographically binds model files to a signed identity card -- who made this model, what it's based on, what it claims to be. Ed25519 signatures, zero ML dependencies, works with any model format.
+
+## Install
+
+```bash
+pip install modelsign
+```
+
+## Quick Start
+
+```bash
+# Generate your signing key
+modelsign keygen
+
+# Sign a model with a name
+modelsign sign model.safetensors --name "My-Llama-8B-v1"
+
+# Verify it
+modelsign verify model.safetensors
+
+# Inspect the identity card
+modelsign inspect model.safetensors.sig
+```
+
+## Rich Identity Cards
+
+Sign with full provenance:
+
+```bash
+# Create an identity card
+cat > card.json << 'EOF'
+{
+  "name": "Llama-3.1-8B-Chat-QJ",
+  "architecture": "LlamaForCausalLM",
+  "base_model": "meta-llama/Llama-3.1-8B-Instruct",
+  "version": "1.0.0",
+  "creator": "ConstantQJ",
+  "license": "Llama 3.1 Community",
+  "intended_use": "Chat assistant",
+  "training": {
+    "dataset": "custom-chat-v2",
+    "epochs": 3,
+    "hardware": "DGX Spark GB10"
+  },
+  "eval_metrics": {
+    "mmlu": 0.68,
+    "humaneval": 0.53
+  }
+}
+EOF
+
+modelsign sign model.safetensors --identity card.json
+```
+
+## Python SDK
+
+```python
+from modelsign import (
+    ModelCard, validate_card, canonical_json,
+    generate_keypair, load_private_key, load_public_key,
+    sign_bytes, build_file_message, verify_bytes,
+    hash_file, SigFile, write_sig, read_sig,
+)
+```
+
+## What It Protects Against
+
+- Post-signing **tampering** of model weights
+- **Substitution** of one model for another
+- **Metadata swap** (changing identity claims invalidates signature)
+
+## What It Does NOT Cover
+
+- Key compromise (your key, your responsibility)
+- Model safety, fairness, or legal compliance
+- Cryptographic timestamping (timestamps are metadata, not proofs)
+
+## How It Compares
+
+| | modelsign | OpenSSF Model Signing (OMS) |
+|---|---|---|
+| **Focus** | Simple signing + rich identity | Supply-chain integrity via Sigstore |
+| **Identity card** | Embedded (architecture, training, eval metrics) | Minimal (being expanded) |
+| **Setup** | `pip install modelsign` | Sigstore toolchain + transparency log |
+| **Signing** | Offline, Ed25519, one command | Keyless via OIDC + Rekor transparency |
+| **Best for** | Individual fine-tunes, HF uploads, quick sharing | Enterprise supply-chain, NGC publishing |
+| **Network required** | No | Yes (Sigstore/Rekor) |
+
+modelsign and OMS are **complementary**. Use modelsign for fast, offline, identity-rich signing. Use OMS when you need transparency logs and keyless verification at enterprise scale.
+
+## Identity Card Schema
+
+| Field | Required | Description |
+|---|---|---|
+| `name` | Yes | Model name |
+| `architecture` | No | Model class (e.g., `LlamaForCausalLM`) |
+| `base_model` | No | Parent model name/path |
+| `parent_signature` | No | Hash of parent's `.sig` (provenance chain) |
+| `version` | No | Semantic version |
+| `creator` | No | Person or organization |
+| `license` | No | SPDX identifier or name |
+| `intended_use` | No | What the model is for |
+| `restrictions` | No | What it should NOT be used for |
+| `training` | No | `{dataset, dataset_hash, epochs, hardware}` |
+| `quantization` | No | Method (e.g., `GPTQ-4bit`) |
+| `eval_metrics` | No | Benchmark results (`{mmlu: 0.68}`) |
+| `extra` | No | Any additional metadata |
+
+## License
+
+MIT — QJ / ConstantOne (CIP1 LLC)

modelsign-1.0.0/README.md

@@ -0,0 +1,119 @@
+# modelsign
+
+[![CI](https://github.com/QuantQJ/modelsign/actions/workflows/ci.yml/badge.svg)](https://github.com/QuantQJ/modelsign/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)
+
+Sign AI models with identity. Verify anywhere.
+
+`modelsign` cryptographically binds model files to a signed identity card -- who made this model, what it's based on, what it claims to be. Ed25519 signatures, zero ML dependencies, works with any model format.
+
+## Install
+
+```bash
+pip install modelsign
+```
+
+## Quick Start
+
+```bash
+# Generate your signing key
+modelsign keygen
+
+# Sign a model with a name
+modelsign sign model.safetensors --name "My-Llama-8B-v1"
+
+# Verify it
+modelsign verify model.safetensors
+
+# Inspect the identity card
+modelsign inspect model.safetensors.sig
+```
+
+## Rich Identity Cards
+
+Sign with full provenance:
+
+```bash
+# Create an identity card
+cat > card.json << 'EOF'
+{
+  "name": "Llama-3.1-8B-Chat-QJ",
+  "architecture": "LlamaForCausalLM",
+  "base_model": "meta-llama/Llama-3.1-8B-Instruct",
+  "version": "1.0.0",
+  "creator": "ConstantQJ",
+  "license": "Llama 3.1 Community",
+  "intended_use": "Chat assistant",
+  "training": {
+    "dataset": "custom-chat-v2",
+    "epochs": 3,
+    "hardware": "DGX Spark GB10"
+  },
+  "eval_metrics": {
+    "mmlu": 0.68,
+    "humaneval": 0.53
+  }
+}
+EOF
+
+modelsign sign model.safetensors --identity card.json
+```
+
+## Python SDK
+
+```python
+from modelsign import (
+    ModelCard, validate_card, canonical_json,
+    generate_keypair, load_private_key, load_public_key,
+    sign_bytes, build_file_message, verify_bytes,
+    hash_file, SigFile, write_sig, read_sig,
+)
+```
+
+## What It Protects Against
+
+- Post-signing **tampering** of model weights
+- **Substitution** of one model for another
+- **Metadata swap** (changing identity claims invalidates signature)
+
+## What It Does NOT Cover
+
+- Key compromise (your key, your responsibility)
+- Model safety, fairness, or legal compliance
+- Cryptographic timestamping (timestamps are metadata, not proofs)
+
+## How It Compares
+
+| | modelsign | OpenSSF Model Signing (OMS) |
+|---|---|---|
+| **Focus** | Simple signing + rich identity | Supply-chain integrity via Sigstore |
+| **Identity card** | Embedded (architecture, training, eval metrics) | Minimal (being expanded) |
+| **Setup** | `pip install modelsign` | Sigstore toolchain + transparency log |
+| **Signing** | Offline, Ed25519, one command | Keyless via OIDC + Rekor transparency |
+| **Best for** | Individual fine-tunes, HF uploads, quick sharing | Enterprise supply-chain, NGC publishing |
+| **Network required** | No | Yes (Sigstore/Rekor) |
+
+modelsign and OMS are **complementary**. Use modelsign for fast, offline, identity-rich signing. Use OMS when you need transparency logs and keyless verification at enterprise scale.
+
+## Identity Card Schema
+
+| Field | Required | Description |
+|---|---|---|
+| `name` | Yes | Model name |
+| `architecture` | No | Model class (e.g., `LlamaForCausalLM`) |
+| `base_model` | No | Parent model name/path |
+| `parent_signature` | No | Hash of parent's `.sig` (provenance chain) |
+| `version` | No | Semantic version |
+| `creator` | No | Person or organization |
+| `license` | No | SPDX identifier or name |
+| `intended_use` | No | What the model is for |
+| `restrictions` | No | What it should NOT be used for |
+| `training` | No | `{dataset, dataset_hash, epochs, hardware}` |
+| `quantization` | No | Method (e.g., `GPTQ-4bit`) |
+| `eval_metrics` | No | Benchmark results (`{mmlu: 0.68}`) |
+| `extra` | No | Any additional metadata |
+
+## License
+
+MIT — QJ / ConstantOne (CIP1 LLC)

modelsign-1.0.0/pyproject.toml

@@ -0,0 +1,42 @@
+[build-system]
+requires = ["setuptools>=68.0", "setuptools-scm"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "modelsign"
+version = "1.0.0"
+description = "Sign AI models with identity. Verify anywhere."
+authors = [{name = "QJ", email = "qj@constantone.ai"}]
+license = {text = "MIT"}
+requires-python = ">=3.9"
+readme = "README.md"
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Topic :: Security :: Cryptography",
+    "Topic :: Scientific/Engineering :: Artificial Intelligence",
+]
+dependencies = [
+    "cryptography>=41.0",
+    "click>=8.0",
+    "rfc8785>=0.1.2",
+]
+
+[project.optional-dependencies]
+middleware = ["fastapi>=0.100"]
+dev = ["pytest>=7.0", "pytest-cov", "mypy"]
+
+[project.scripts]
+modelsign = "modelsign.cli:main"
+
+[project.urls]
+Homepage = "https://github.com/ConstantQJ/modelsign"
+Issues = "https://github.com/ConstantQJ/modelsign/issues"
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

modelsign-1.0.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

modelsign-1.0.0/src/modelsign/__init__.py

@@ -0,0 +1,21 @@
+"""modelsign — Sign AI models with identity. Verify anywhere."""
+
+__version__ = "1.0.0"
+
+from modelsign.identity.card import ModelCard, validate_card
+from modelsign.identity.canonical import canonical_json
+from modelsign.crypto.keys import generate_keypair, load_private_key, load_public_key, compute_fingerprint
+from modelsign.crypto.sign import sign_bytes, build_file_message, build_dir_message
+from modelsign.crypto.verify import verify_bytes
+from modelsign.formats.single import hash_file
+from modelsign.formats.directory import hash_directory
+from modelsign.sig import SigFile, write_sig, read_sig
+
+__all__ = [
+    "__version__",
+    "ModelCard", "validate_card", "canonical_json",
+    "generate_keypair", "load_private_key", "load_public_key", "compute_fingerprint",
+    "sign_bytes", "build_file_message", "build_dir_message", "verify_bytes",
+    "hash_file", "hash_directory",
+    "SigFile", "write_sig", "read_sig",
+]