HuggingFace signs uploaded models with Sigstore, which proves file integrity since upload. But for quantized models (GGUF, AWQ, GPTQ), there is no way for the hub to verify the quantization was faithful to the original.
Research in 2025 demonstrated adversarial weight injection during quantization -- the full-precision model is clean, the quantized version contains targeted malicious behaviour, and it passes all standard checks. 88.7% success rate.
This happens because quantization is a lossy process. Small adversarial modifications hide in the quantization noise.
The fix sits with the hub and the quantizer, not the consumer:
Quantizer (publisher) side:
- When quantizing, produce a signed attestation linking the output to the source model Sigstore signature
- Include: source model hash, quantization tool + version, method (q4_k_m etc.)
Hub side:
- Verify the attestation chain when a quantized model is uploaded
- Display provenance status: "Quantized from [model-id], verified" or "Unverified quantization"
- Flag quantized models with no provenance chain
The consumer sees a badge. No manual verification needed.
An IETF Internet-Draft defining the attestation format: https://datatracker.ietf.org/doc/draft-sharif-ai-model-lifecycle-attestation/ (Section 7)
HuggingFace signs uploaded models with Sigstore, which proves file integrity since upload. But for quantized models (GGUF, AWQ, GPTQ), there is no way for the hub to verify the quantization was faithful to the original.
Research in 2025 demonstrated adversarial weight injection during quantization -- the full-precision model is clean, the quantized version contains targeted malicious behaviour, and it passes all standard checks. 88.7% success rate.
This happens because quantization is a lossy process. Small adversarial modifications hide in the quantization noise.
The fix sits with the hub and the quantizer, not the consumer:
Quantizer (publisher) side:
Hub side:
The consumer sees a badge. No manual verification needed.
An IETF Internet-Draft defining the attestation format: https://datatracker.ietf.org/doc/draft-sharif-ai-model-lifecycle-attestation/ (Section 7)