Is this page helpful?

Model Signature Verification#

NVIDIA signs all models published to the NGC Catalog using the OpenSSF Model Signing (OMS) standard. This lets you independently verify that a model artifact was published by NVIDIA and has not been tampered with—a requirement for organizations that operate under a “Trust, but verify” security model.

Note

NIM automatically performs internal checksum verification of downloaded files. The steps on this page describe external cryptographic signature verification, which is separate from and complementary to NIM’s built-in checksum validation.

Prerequisites#

To verify a model signature, you need the following tools:

NGC CLI installed and configured with a valid API key
model-signing Python package:
```
pip install model-signing
```

Identify the Model Profile#

Each NIM container uses a specific model profile identified by a 64-character profile ID. Use list-model-profiles to see all available profiles:

export NIM_LLM_IMAGE="nvcr.io/nim/meta/llama-3.1-70b-instruct:latest"

docker run --rm --gpus=all \
  ${NIM_LLM_IMAGE} \
  list-model-profiles

Example output:

MODEL PROFILES
- Compatible with system and runnable:
  - 4f904d571fe60ff24695b5ee2aa42da58cb460787a968f1e8a09f5a7e862728d (vllm-bf16-tp1-pp1) [requires >=18 GB/gpu]

Note the 64-character profile ID of the profile you want to verify. To check which profile is active in a running container, inspect the startup logs:

docker logs ${container_name} | grep "Selected profile"

For more details on profile selection, refer to Model Profiles and Selection.

Find the NGC Version Tag#

Each NIM profile downloads its model files from a specific version in the NGC model registry. The mapping is stored in the container’s model manifest at /opt/nim/etc/default/model_manifest.yaml. You need to extract this NGC version tag to download the correct signature in the next step.

First, set your profile ID:

export PROFILE_ID=${profile_id}

For example:

export PROFILE_ID=4f904d571fe60ff24695b5ee2aa42da58cb460787a968f1e8a09f5a7e862728d

Next, inspect the manifest to see the download URI for that profile. The URI contains the NGC version tag:

docker run --rm --entrypoint bash ${NIM_LLM_IMAGE} -c \
  "grep -A20 '${PROFILE_ID}' /opt/nim/etc/default/model_manifest.yaml \
   | grep -m1 'uri:'"

Example output:

uri: ngc://nim/meta/llama-3.1-70b-instruct:bf16-tool-calling-fix?file=LICENSE

The URI has the format ngc://{ORG}/{TEAM}/{MODEL_NAME}:{NGC_TAG}?file=.... From this example:

ORG/TEAM: nim/meta
MODEL_NAME: llama-3.1-70b-instruct
NGC_TAG: bf16-tool-calling-fix

Extract these into variables by first capturing the full model path, then splitting:

# Strip ngc:// prefix and ?file=... suffix to get: nim/meta/llama-3.1-70b-instruct:bf16-tool-calling-fix
export MODEL_URI=$(docker run --rm --entrypoint bash ${NIM_LLM_IMAGE} -c \
  "grep -A20 '${PROFILE_ID}' /opt/nim/etc/default/model_manifest.yaml \
   | grep -m1 'uri:' \
   | sed 's|.*uri: ngc://||;s|?.*||'")

export NGC_MODEL_PATH=$(echo ${MODEL_URI} | cut -d':' -f1)  # nim/meta/llama-3.1-70b-instruct
export NGC_TAG=$(echo ${MODEL_URI} | cut -d':' -f2)          # bf16-tool-calling-fix
export MODEL_NAME=$(echo ${NGC_MODEL_PATH} | cut -d'/' -f3)  # llama-3.1-70b-instruct

echo "NGC_MODEL_PATH: ${NGC_MODEL_PATH}"
echo "MODEL_NAME:     ${MODEL_NAME}"
echo "NGC_TAG:        ${NGC_TAG}"

Example output:

NGC_MODEL_PATH: nim/meta/llama-3.1-70b-instruct
MODEL_NAME:     llama-3.1-70b-instruct
NGC_TAG:        bf16-tool-calling-fix

Download the Model#

Download the model files from NGC using the NGC_MODEL_PATH and NGC_TAG variables set in the previous step:

mkdir -p ./model

ngc registry model download-version \
  ${NGC_MODEL_PATH}:${NGC_TAG} \
  --dest ./model

The model is downloaded to ./model/${MODEL_NAME}_v${NGC_TAG}/. For example:

./model/llama-3.1-70b-instruct_vbf16-tool-calling-fix/

Download the Signature File#

Create a directory for the signature and use the NGC_MODEL_PATH and NGC_TAG from the previous step to download the detached signature:

mkdir -p ./signatures

ngc registry model download-version-signature \
  ${NGC_MODEL_PATH}:${NGC_TAG} \
  --dest ./signatures

The signature is downloaded to ./signatures/${MODEL_NAME}_v${NGC_TAG}/result.sigstore. For example:

./signatures/llama-3.1-70b-instruct_vbf16-tool-calling-fix/result.sigstore

Download the NVIDIA Public Certificate#

Download the NVIDIA public certificate that is used to validate model signatures:

curl https://api.ngc.nvidia.com/v2/catalog/models/public-key -o cert.pem

Verify the Signature#

Run model_signing verify pointing to the model directory downloaded in the previous step:

model_signing verify certificate \
  ./model/${MODEL_NAME}_v${NGC_TAG} \
  --signature ./signatures/${MODEL_NAME}_v${NGC_TAG}/result.sigstore \
  --certificate_chain cert.pem \
  --allow_symlinks

For example:

model_signing verify certificate \
  ./model/llama-3.1-70b-instruct_vbf16-tool-calling-fix \
  --signature ./signatures/llama-3.1-70b-instruct_vbf16-tool-calling-fix/result.sigstore \
  --certificate_chain cert.pem \
  --allow_symlinks

A successful verification prints a confirmation message. Any mismatch or tampering causes the command to exit with a non-zero status and an error message.

Additional Resources#

For more information about model signing and the tools used in this workflow, refer to the following resources:

Bringing Verifiable Trust to AI Models: Model Signing in NGC — NVIDIA Developer Blog
NGC CLI Reference: download-version-signature
model-signing on PyPI