Technical Blog
Related Resources
Cybersecurity

Bringing Verifiable Trust to AI Models: Model Signing in NGC

Jul 28, 2025
By Martin Sablotny, Daniel Major, Laura Seletos, Rich Harang and Neha Hudait
Discuss (0)

AI is entering a new era—one defined by agents that reason, plan, and take action. These agentic systems dynamically interact with APIs, tools, and even the physical environment, which introduces new complexity and vastly expands the AI attack surface and potential risks. A single compromised model can now influence downstream decisions, access external systems, trigger cascading failures, or even physically damage equipment or harm humans. Trust in model integrity can no longer be assumed. It must be verifiable.

To meet this challenge, NVIDIA has been signing all NVIDIA-published models in the NGC Catalog with the OpenSSF Model Signing (OMS) specification since March 2025. That makes the company the first major model hub to offer cryptographic signing for hosted models. Such signing enables consumers to independently verify a model’s origin and integrity, which is a foundational step to shift from implicit to explicit trust at every layer of the AI stack across cloud, on-premise, and edge deployments.

Model signing in NGC is a key component of NVIDIA Enterprise AI Factory and NVIDIA AI Enterprise. It provides end-to-end validation of the integrity of the models that customers download, enabling them to develop, deploy, and scale production-grade AI applications upon a secure, full-stack platform. For a comprehensive overview of the security measures and processes NVIDIA employs, refer to the NVIDIA AI Enterprise Security whitepaper.

Establishing trust with model signing

Model signing brings cryptographic verification to AI workflows, which allows teams to confirm that a model was published by a trusted source and that it hasn’t been altered. 

As shown in Figure 1 below, the signing process begins when a model publisher, such as NGC, uses a private signing key to generate a digital signature for the model. This signature is published alongside the model artifact. When the model is later consumed by a developer, platform, or automated system, a public certificate is used to verify that signature. If the signature matches, the model is confirmed as authentic and unaltered. If it doesn’t, verification fails, flagging the model as altered or potentially compromised. 

A diagram showing the model signing and verification process. On the left, a model is signed using a private signing key and a signing program, producing a signature. On the right, the signed model is verified using a public certificate. If verification succeeds, the model is trusted; if it fails, the model is flagged as untrusted.
Figure 1: Model signing and verification flow

This process creates a verifiable chain of trust:

  • Developers can confirm that models integrated into their pipelines are authentic and unmodified.
  • MLOps and platform teams can enforce provenance checks by ensuring each model is backed by a verifiable certificate chain.
  • Security and compliance teams can audit, trace, and prove the integrity of every model in use.

Model signing establishes a secure bridge between model creation and model consumption. It delivers trust that is explicit, traceable, and built into every step of the lifecycle. 

How model signing works in NGC

NVIDIA has integrated model signing directly into the publishing process for all NVIDIA-hosted models in the NGC Catalog. As shown in Figure 2 below, model signing establishes a verifiable chain of trust from development to deployment, ensuring that consumers can confirm where a model came from and its authenticity.

Each model version is cryptographically signed using the OpenSSF Model Signing (OMS) standard: a flexible, implementation-agnostic format designed for modern AI artifacts. Instead of signing individual files, OMS creates a detached signature bundle that includes:

  • A manifest of all model files, each referenced by cryptographic hash (e.g., SHA-256)
  • Optional metadata to support future extensibility (e.g., version, training config)
  • A digital signature that covers the full bundle

This format ensures that model weights, configuration files, tokenizers, and related assets are verified together as a unit and without modifying the original content. It also supports a wide range of key management approaches: enterprise PKI, self-signed certificates, or keyless signing via Sigstore.

The signing process happens just before publishing to NGC. From there, signed models can be hosted or consumed by any endpoint—whether an API, platform, or AI agent—with signature verification using NVIDIA’s public certificate and open source tooling.

This enables:

  • Model producers to assert ownership and integrity before release
  • Model hubs like NGC to serve as trusted distribution points
  • Model consumers to verify authenticity at the point of use

Built into NGC and aligned with open standards, model signing makes trust portable, verifiable, and scalable.

Diagram showing how models are developed, signed, and distributed through the NGC Catalog. On the left, a model undergoes training, optimization, and packaging. Before publication, it is signed using the OMS standard. The signed model is then made available in the NGC Catalog. On the right, consumers—including developers, APIs, and platforms,—verify the model signature using NVIDIA’s public certificate before deployment.
Figure 2: Trusted model distribution workflow in NGC Catalog

Once published, signed models in NGC can be identified in two ways:

  • In the UI: Look for the “Signed” badge on the model’s details and version history pages.
Screenshot of a model details page in the NVIDIA NGC Catalog, showing the Meta Llama 3.1 model. The page includes the model description, version (2.0), modification date (April 14, 2025), and size (131.43 GB). A “Signed Models” badge appears below the metadata, indicating the model has been cryptographically signed and verified.
Figure 3: Signed model badge on example NVIDIA model
  • Via the CLI: Use the following command to list models and checked for signed versions: ngc registry model list 'nvidia/tao/*'

Signed models will display True in the Has Signed Version column.

Whether you’re running inference locally or deploying models into production, signature visibility is built into your existing workflows, making trust easy to check and scale.

How to verify a model 

Verifying a signed model from NGC is straightforward using the open-source tools provided by the OpenSSF Model Signing Project. These resources, including the model-signing Python tool, support the OMS standard adopted by NGC and can be integrated into local workflows or automated pipelines.

Step 1: Install the model-signing tool from PyPi

pip install model-signing

To ensure supply chain integrity, we recommend validating the authenticity of the package. Pip supports hash checking mode (since version 8.0) to verify the downloaded package matches an expected SHA256 hash. Validation can help defend against typosquatting and tampering.

Step 2: Download the model and signature from NGC

New to the NGC CLI? Check out this quick-start guide to get set up.

ngc registry model download-version "nvidia/tao/dashcamnet:pruned_onnx_v1.0.5"
ngc registry model download-version-signature "nvidia/tao/dashcamnet:pruned_onnx_v1.0.5"

Step 3: Get NVIDIA’s public certificate

curl -O https://api.ngc.nvidia.com/v2/catalog/models/public-key
  -o cert.pem

Step 4: Verify the model

model_signing verify \
  <MODEL_PATH> \
  --signature <SIG_PATH> \
  --certificate_chain cert.pem

If the model is authentic and unaltered, you’ll see: “Verification succeeded.”

This approach ensures that anyone consuming a model from NGC—whether on a local machine, in CI/CD, or at deployment—can validate its origin and integrity using open, standards-based tooling.

Securing the AI supply chain 

Model signing is now built into every NVIDIA-published model on the NGC Catalog, which gives developers, platform teams, and enterprises a simple, standards-based way to verify trust before deployment. This capability brings cryptographic assurance to the core of the AI supply chain and marks a critical step in securing every layer of the AI stack.

As AI continues to scale across industries and environments, trust must be built in, not assumed. With model signing, NVIDIA is helping organizations move faster and more securely, and have confidence in every model they deploy.

To verify a signed model, visit the NGC documentation, learn more about the OpenSSF Model Signing (OMS) specification, and explore the model-signing tool. 

See how NVIDIA is enabling verifiable trust at every layer at the AI stack,from development to deployment, across cloud, on-premise, and edge.

Related resources

Discuss (0)

Tags

Conversational AI | Cybersecurity | Generative AI | General | AI Enterprise | NGC | NIM | Beginner Technical | Tutorial | LLMs

About the Authors

Avatar photo
About Martin Sablotny
Martin Sablotny is a security architect for AI/ML at NVIDIA working on identifying existing gaps in AI security and researching solutions. He received his Ph.D. in computing science from the University of Glasgow in 2022. Before joining NVIDIA, he worked as a security researcher in the German military and conducting research in using AI for security at Google.
Avatar photo
About Daniel Major
Daniel is a distinguished security architect at NVIDIA, where he provides security leadership for areas such as code signing, device PKI, ML deployments, and mobile operating systems. Previously, as principal security architect at BlackBerry, he was instrumental in the mobile phone division’s transition from BlackBerry 10 OS to Android. When not working, Daniel can be found planning his next travel adventure.
Avatar photo
About Laura Seletos
Laura Seletos is a principal cloud security architect at NVIDIA, where she secures AI and cloud workloads at scale. With over a decade of experience spanning threat intelligence, security automation, and cloud transformation, Laura specializes in aligning complex technical solutions with regulatory frameworks like NIST 800-53, FedRAMP, and HIPAA. Previously, as a principal security consultant at AWS, Laura guided Fortune 500 companies and U.S. government agencies in architecting and deploying secure cloud infrastructures at scale. Prior to that, she held key roles at Qualys, including director of Product Management for API & Integrations and major accounts solution architect, where she led hybrid-cloud security strategies and large-scale digital transformation initiatives.
Avatar photo
About Rich Harang
Rich Harang is a Principal Security Architect at NVIDIA, specializing in ML/AI systems, with over a decade of experience at the intersection of computer security, machine learning, and privacy. He received his PhD in Statistics from the University of California Santa Barbara in 2010. Prior to joining NVIDIA, he led the Algorithms Research team at Duo, led research on using machine learning models to detect malicious software, scripts, and web content at Sophos AI, and worked as a Team Lead at the US Army Research Laboratory. His research interests include adversarial machine learning, addressing bias and uncertainty in machine learning, and ways to use machine learning to support human analysis. Richard’s work has been presented at USENIX, BlackHat, IEEE S&P workshops, and DEF CON AI Village, among others, and has also been featured in The Register and KrebsOnSecurity.
About Neha Hudait
Neha Hudait is a senior security product manager at NVIDIA, leading the development and execution of cybersecurity strategies in collaboration with leadership. With a focus on advancing security research and strategy, Neha plays a key role in shaping the future of security in AI and accelerated computing. Neha holds degrees in Electrical Engineering & Computer Science (EECS) and Business Administration from UC Berkeley, as part of the Management, Entrepreneurship, and Technology (M.E.T.) program. Her work emphasizes technical innovation, best practices, and driving diversity and inclusion within the cybersecurity community.

Comments