Change default signature filename to claims.jsonl

README.md

@@ -52,6 +52,17 @@ digest) pairs a predicate type set to `https://model_signing/signature/v1.0` and
 a dictionary of predicates. The idea is to use the predicates to store (and
 therefor sign) model card information in the future.
 
+The default signature filename is `claims.jsonl`, which uses JSONL format (one
+sigstore bundle per line). Signing **appends** a new attestation to this file
+rather than overwriting it, allowing attestations to accumulate as models move
+through their lifecycle (training, registry, security review, production).
+
+During verification, all claims in the file are checked from newest to oldest,
+and verification succeeds if any claim matches.
+
+The legacy `model.sig` format (single JSON blob) is still supported but
+deprecated. Using `.sig` files will emit deprecation warnings.
+
 The verification part reads the sigstore bundle file and firstly verifies that the
 signature is valid and secondly compute the model's file hashes again to compare
 against the signed ones.
@@ -137,9 +148,9 @@ For verification:
 
 ```bash
 [...]$ model_signing verify bert-base-uncased \
-      --signature model.sig \
-      --trust-config client_trust_config.json
-      --identity "$identity"
+      --signature claims.jsonl \
+      --trust-config client_trust_config.json \
+      --identity "$identity" \
       --identity-provider "$oidc_provider"
 ```
 
@@ -169,7 +180,7 @@ All signing methods support changing the signature name and location via the
 `--signature` flag:
 
 ```bash
-[...]$ model_signing sign bert-base-uncased --signature model.sig
+[...]$ model_signing sign bert-base-uncased --signature claims.jsonl
 ```
 
 Consult the help for a list of all flags (`model_signing --help`, or directly
@@ -180,7 +191,7 @@ model we use
 
 ```bash
 [...]$ model_signing verify bert-base-uncased \
-      --signature model.sig \
+      --signature claims.jsonl \
       --identity "$identity" \
       --identity-provider "$oidc_provider"
 ```
@@ -210,7 +221,7 @@ Similarly, for key verification, we can use
 
 ```bash
 [...]$ model_signing verify key bert-base-uncased \
-       --signature resnet.sig --public-key key.pub
+       --signature claims.jsonl --public-key key.pub
 ```
 
 #### Signing with PKCS #11 URIs
@@ -243,15 +254,15 @@ With a PKCS #11 URI describing the private key, we can use the following
 for signing:
 
 ```bash
-[...]$ model_signing sign pkcs11-key --signature model.sig \
+[...]$ model_signing sign pkcs11-key --signature claims.jsonl \
        --pkcs11_uri "pkcs11:..." /path/to/your/model
 ```
 
 For signature verification it is necessary to retrieve the public key from
 the PKCS #11 device and store it in a file in PEM format. With can then use:
 
 ```bash
-[...]$ model_signing verify key --signature model.sig\
+[...]$ model_signing verify key --signature claims.jsonl \
        --public-key key.pub  /path/to/your/model
 ```
 
@@ -342,7 +353,7 @@ The simplest way to generate a signature using Sigstore is:
 ```python
 import model_signing
 
-model_signing.signing.sign("bert-base-uncased", "model.sig")
+model_signing.signing.sign("bert-base-uncased", "claims.jsonl")
 ```
 
 This will run the same OIDC flow as when signing with Sigstore from the CLI.

docs/demo.ipynb

@@ -541,7 +541,7 @@
         "id": "L2zQrDPnBDcu"
       },
       "source": [
-        "By default, the signature is in `model.sig`. First, we can look at its size:"
+        "By default, the signature is in `claims.jsonl`. First, we can look at its size:"
       ]
     },
     {
@@ -559,12 +559,12 @@
           "output_type": "stream",
           "name": "stdout",
           "text": [
-            "-rw-r--r-- 1 root root 11345 Oct 10 18:00 model.sig\n"
+            "-rw-r--r-- 1 root root 11345 Oct 10 18:00 claims.jsonl\n"
           ]
         }
       ],
       "source": [
-        "!ls -l model.sig"
+        "!ls -l claims.jsonl"
       ]
     },
     {
@@ -597,7 +597,7 @@
         }
       ],
       "source": [
-        "!model_signing verify bert-base-uncased --signature model.sig --identity \"$identity\" --identity_provider \"$oidc_provider\""
+        "!model_signing verify bert-base-uncased --signature claims.jsonl --identity \"$identity\" --identity_provider \"$oidc_provider\""
       ]
     },
     {
@@ -785,7 +785,7 @@
         }
       ],
       "source": [
-        "!model_signing verify resnet-50 --signature model.sig --identity \"$identity\" --identity_provider \"$oidc_provider\""
+        "!model_signing verify resnet-50 --signature claims.jsonl --identity \"$identity\" --identity_provider \"$oidc_provider\""
       ]
     },
     {
@@ -818,7 +818,7 @@
         }
       ],
       "source": [
-        "!model_signing verify bert-base-uncased --signature model.sig --identity \"FAKE_IDENTITY\" --identity_provider \"$oidc_provider\""
+        "!model_signing verify bert-base-uncased --signature claims.jsonl --identity \"FAKE_IDENTITY\" --identity_provider \"$oidc_provider\""
       ]
     },
     {
@@ -853,7 +853,7 @@
         }
       ],
       "source": [
-        "!model_signing verify bert-base-uncased --signature model.sig --identity \"$identity\" --identity_provider \"FAKE_PROVIDER\""
+        "!model_signing verify bert-base-uncased --signature claims.jsonl --identity \"$identity\" --identity_provider \"FAKE_PROVIDER\""
       ]
     },
     {

docs/model_signing_format.md

@@ -71,7 +71,7 @@ transparency log.
 Below is an example of the Sigstore bundle showing each of the layers described above.
 
 ```bash
-$ cat model.sig | jq .
+$ cat claims.jsonl | jq .
 {
   "mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
   "verificationMaterial": {
@@ -127,7 +127,7 @@ $ cat model.sig | jq .
   }
 }
 
-$ cat model.sig | jq .dsseEnvelope.payload -r | base64 -d | jq .
+$ cat claims.jsonl | jq .dsseEnvelope.payload -r | base64 -d | jq .
 {
   "_type": "https://in-toto.io/Statement/v1",
   "subject": [

src/model_signing/__init__.py

@@ -40,7 +40,7 @@
 Signing can be done using the default configuration:
 
 ```python
-model_signing.signing.sign("finbert", "finbert.sig")
+model_signing.signing.sign("finbert", "finbert.jsonl")
 ```
 
 This example generates the signature using Sigstore.
@@ -55,7 +55,7 @@
     model_signing.hashing.Config().set_ignored_paths(
         paths=["README.md"], ignore_git_paths=True
     )
-).sign("finbert", "finbert.sig")
+).sign("finbert", "finbert.jsonl")
 ```
 
 This example generates a signature using a private key based on elliptic curve
@@ -72,7 +72,7 @@
 ```python
 model_signing.verifying.Config().use_sigstore_verifier(
     identity=identity, oidc_issuer=oidc_provider
-).verify("finbert", "finbert.sig")
+).verify("finbert", "finbert.jsonl")
 ```
 
 Where `identity` and `oidc_provider` are the parameters obtained after the OIDC
@@ -86,7 +86,7 @@
 ).set_hashing_config(
     model_signing.hashing.Config().use_shard_serialization()
     )
-).verify("finbert", "finbert.sig")
+).verify("finbert", "finbert.jsonl")
 ```
 
 Alternatively, we also support automatic detection of the hashing configuration
@@ -95,7 +95,7 @@
 ```python
 model_signing.verifying.Config().use_elliptic_key_verifier(
     public_key="key.pub"
-).verify("finbert", "finbert.sig")
+).verify("finbert", "finbert.jsonl")
 ```
 
 A reminder that we still need to set the verification configuration. This sets