# Sign and Verify Model

## Install Python Dependencies for Linux

In [1]:
!pip install --require-hashes -r install/requirements_Linux.txt

Defaulting to user installation because normal site-packages is not writeable


## Sign function

In [3]:
from pathlib import Path
import model

def sign(modelfn: Path) -> model.SignatureResult:
    signer = model.SigstoreSigner()
    return signer.sign(modelfn, signature_path(modelfn),
                       ignored_paths(modelfn))

def signature_path(modelfn: Path) -> Path:
    if modelfn.is_file():
        return Path(modelfn.parent).joinpath(f"{modelfn.name}.sig")
    return modelfn.joinpath("model.sig")


def ignored_paths(modelfn: Path) -> [Path]:
    if modelfn.is_file():
        return []
    return [modelfn.joinpath(".git")]

## Sign the model

In [4]:
model_path = input("Path to model (e.g. ./models/model.onnx)")
modelfn = Path(model_path)
result = sign(modelfn)
if result:
    print("signature success")
else:
    print(f"signature failure: {str(result)}")

Path to model (e.g. ./models/model.onnx) ./models/model.onnx


Go to the following link in a browser:

	https://oauth2.sigstore.dev/auth/auth?response_type=code&client_id=sigstore&client_secret=&scope=openid+email&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&code_challenge=Yf-lZKDeMFe6X4_nKtA4XUEmWm6Z1l4H6TQiCkZHH6U&code_challenge_method=S256&state=a4383338-8b7a-497f-94f0-5e61be615a22&nonce=5cd82e7f-4896-438a-ab91-5f6e0c7afbcf


Enter verification code:  k7ezy7u6mhhemi3dm4tpxkjcy


identity-provider: https://oauth2.sigstore.dev/auth
identity: ifont@redhat.com
  not_valid_after = self.__cached_signing_certificate.cert.not_valid_after


signature success


## Verify function

In [5]:
def verify(modelfn: Path, issuer: str, identity: str,
           offline=False) -> model.VerificationResult:
    verifier = model.SigstoreVerifier(oidc_provider=issuer, identity=identity)
    return verifier.verify(modelfn, signature_path(modelfn),
                           ignored_paths(modelfn), offline)

## Verify the model

In [6]:
identity_provider = input("Identity provider (e.g. https://accounts.google.com):")
identity = input("identity (e.g. mymail@gmail.com)")
result = verify(modelfn=modelfn,
                issuer=identity_provider,
                identity=identity)
if result:
    print("verification success")
else:
    print(f"verification failure: {str(result)}")


Identity provider (e.g. https://accounts.google.com): https://accounts.google.com
identity (e.g. mymail@gmail.com) ifont@redhat.com


verification success


  sign_date = materials.certificate.not_valid_before
  materials.certificate.not_valid_before
  <= materials.certificate.not_valid_after
