[GH-ISSUE #13080] How to compute hash for model download verification ? #86347

Closed
opened 2026-05-10 03:09:44 -05:00 by GiteaMirror · 3 comments
Owner

Originally created by @FrouxBY on GitHub (Nov 13, 2025).
Original GitHub issue: https://github.com/ollama/ollama/issues/13080

Hello,

Using Ollama to pull the models, there is no way to be sure that the weights downloaded are actually the one advertised on the Ollama website,
There seems to be hash that goes with every checkpoint, but there are no instruction on how to compute locally this hash to see wether it match the one provided on ollama.com;

Additionnaly this could ensure the model integrity on my side, in case of malicious activity,

Is there a way to ensure the integrity of the weights ?

Thanks for your help

Originally created by @FrouxBY on GitHub (Nov 13, 2025). Original GitHub issue: https://github.com/ollama/ollama/issues/13080 Hello, Using Ollama to pull the models, there is no way to be sure that the weights downloaded are actually the one advertised on the Ollama website, There seems to be hash that goes with every checkpoint, but there are no instruction on how to compute locally this hash to see wether it match the one provided on ollama.com; Additionnaly this could ensure the model integrity on my side, in case of malicious activity, Is there a way to ensure the integrity of the weights ? Thanks for your help
Author
Owner

@rick-github commented on GitHub (Nov 13, 2025):

https://sha256sum.com/

The filename of the blob is the SHA256 of the contents. You can recompute the hash to verify the contents are correct, and then compare the hash to the value in the model card in the ollama library to verify it's the same file.

<!-- gh-comment-id:3528785941 --> @rick-github commented on GitHub (Nov 13, 2025): https://sha256sum.com/ The filename of the blob is the SHA256 of the contents. You can recompute the hash to verify the contents are correct, and then compare the hash to the value in the model card in the ollama library to verify it's the same file.
Author
Owner

@FrouxBY commented on GitHub (Nov 17, 2025):

Thank you,
I was missing that the hash on the website is the hash of the manifest file for the model,

Thanks for your help:)

<!-- gh-comment-id:3540730006 --> @FrouxBY commented on GitHub (Nov 17, 2025): Thank you, I was missing that the hash on the website is the hash of the manifest file for the model, Thanks for your help:)
Author
Owner

@fallrisk-ai commented on GitHub (May 5, 2026):

@FrouxBY I built Trustfall Lite, an open-source CLI that scans local Hugging Face and Ollama model caches, computes artifact hashes, and checks them against a signed public registry.

Install:

pipx install fallrisk-trustfall
trustfall scan

It reports four states:

verified – artifact hash matches a signed registry record
unknown_variant – model name appears in the registry, but local bytes differ
not_enrolled – no registry record exists
pilot_available – queued for enrollment

The important boundary: Trustfall Lite verifies artifact identity, not runtime identity. It answers “do the bytes on disk match a signed record?” It does not claim the running process is structurally the same model. That is a separate layer.

The registry is public and signed:
https://attest.fallrisk.ai/registry.json

Source:
https://github.com/fallrisk-ai/trustfall-lite

PyPI:
https://pypi.org/project/fallrisk-trustfall/

Research / evidence boundary:
https://fallrisk.ai/research/

Founder scan:
https://fallrisk.ai/articles/founder-scan

There is also a local-only mode if you do not want hash lookups sent to the API:

trustfall registry --refresh
trustfall scan --local-only

I’m especially interested in feedback from people running local model fleets, internal model caches, or AI supply-chain/security tooling.

<!-- gh-comment-id:4382635885 --> @fallrisk-ai commented on GitHub (May 5, 2026): @FrouxBY I built Trustfall Lite, an open-source CLI that scans local Hugging Face and Ollama model caches, computes artifact hashes, and checks them against a signed public registry. Install: > pipx install fallrisk-trustfall > trustfall scan It reports four states: > verified – artifact hash matches a signed registry record > unknown_variant – model name appears in the registry, but local bytes differ > not_enrolled – no registry record exists > pilot_available – queued for enrollment The important boundary: Trustfall Lite verifies artifact identity, not runtime identity. It answers “do the bytes on disk match a signed record?” It does not claim the running process is structurally the same model. That is a separate layer. > The registry is public and signed: > https://attest.fallrisk.ai/registry.json > > Source: > https://github.com/fallrisk-ai/trustfall-lite > > PyPI: > https://pypi.org/project/fallrisk-trustfall/ > > Research / evidence boundary: > https://fallrisk.ai/research/ > > Founder scan: > https://fallrisk.ai/articles/founder-scan There is also a local-only mode if you do not want hash lookups sent to the API: > trustfall registry --refresh > trustfall scan --local-only I’m especially interested in feedback from people running local model fleets, internal model caches, or AI supply-chain/security tooling.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/ollama#86347