BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.devconf.info//devconf-cz-2026//talk//CVPQC9
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-devconf-cz-2026-CVPQC9@pretalx.devconf.info
DTSTART;TZID=CET:20260619T101500
DTEND;TZID=CET:20260619T105000
DESCRIPTION:Container images get signed and verified. AI models almost neve
 r do. A poisoned checkpoint can run arbitrary code at deserialization\, ye
 t Kubernetes clusters treat model weights as trusted blobs. The tooling to
  change this reached v1.0 in 2025.\n\nThis talk walks through a practical 
 enforcement pipeline for model trust on Kubernetes using three open source
  tools: **Sigstore model signing** (OMS v1.0) to sign model artifacts\, th
 e **Sigstore Model Validation Operator** for admission time verification\,
  and **Kyverno** policies to block workloads referencing unsigned models. 
 We trace the lifecycle: signing in CI\, recording in **Rekor**\, and block
 ing a tampered checkpoint at deploy time.\n\nWe also cover what still brea
 ks: verification with quantized and adapter merged models\, hashing instab
 ility across formats\, and where **AIBOM** metadata fits into the attestat
 ion chain. A **live demo** signs\, deploys\, and blocks an unsigned model 
 on a running cluster.
DTSTAMP:20260430T125155Z
LOCATION:D0206 (capacity 154)
SUMMARY:No Unsigned Models in My Cluster: Bringing Container Trust to AI Mo
 dels on Kubernetes - Ayushi Tiwari\, Rahul Sharma
URL:https://pretalx.devconf.info/devconf-cz-2026/talk/CVPQC9/
END:VEVENT
END:VCALENDAR