Securing AI Models on Edge Devices: Establishing Provenance with Thistle OTA
Cryptographic model provenance for edge AI — signing AI model files with cloud-KMS keys and verifying them on-device before every use with Thistle OTA.
AI model provenance — the ability to verify a model's origin and integrity — is no longer optional; it's essential. As AI models are deployed to edge devices in critical infrastructure, automotive systems, and medical devices, ensuring that a model hasn't been tampered with between release and runtime is a fundamental security requirement.
Thistle's OTA update system enables digitally signing AI model files and verifying them on-device before every use, ensuring models haven't been tampered with.
The Problem: Model Tampering at the Edge
Edge-deployed models face unique risks:
- Physical tampering — attacker with device access replaces model files
- Man-in-the-middle attacks — network-intercepted updates substitute malicious models
- Supply chain compromise — models modified before deployment
Traditional methods offer no consistent way to verify a running model matches the released one.
The Solution: Cryptographic Provenance
Approach: Sign every AI model file with a cloud-KMS-managed key, and verify signatures on-device before every use.
Signature format:
<timestamp>:<base64_signature>
The signature covers <timestamp>:<sha256_hash_of_file>. This design:
- Proves the file is attested with your signing key
- Records when it was signed (tamper-evident timestamping)
- Works with any file type — PyTorch, TensorFlow, ONNX, or raw binaries
Two Ways to Sign
Option 1: Thistle Release Helper (TRH) — CLI
For CI/CD pipelines or scripting:
trh prepare --sign-ai-model
Generates a .thistlesig file per model file. Publish with trh release.
Option 2: Thistle Control Center — Web Platform
- Upload a ZIP archive containing your model files
- Enable "Generate Signatures" during upload
- Platform automatically signs each file in the archive
- Create a release when processing completes
Behind the scenes: extracts each file, signs using your project's cloud-managed key (backed by Google Cloud KMS), adds the .thistlesig file, and repackages everything.
On-Device Verification: TUC at Startup
Thistle Update Client (TUC) v1.7.1 or above verifies signatures before the AI application loads a model:
tuc -c tuc-config.json verify-file /path/to/model.pt /path/to/model.pt.thistlesig
On success:
On failure (tampered file):
Integrating into Your AI Application
Recommended pattern: verify on every startup. The application only runs with verified models, creating strong security assurance.
Why This Matters for Regulated Industries
Automotive, medical devices, and critical infrastructure require evidence of software integrity. Thistle provides:
- Audit trail — every signature includes a timestamp
- Key management — private keys never leave Google Cloud KMS
- Verification evidence — TUC exit codes and logs prove verification occurred
- Supply chain security — models signed at release, verified at runtime
Summary
Securing AI models on edge devices requires runtime proof of origin. Thistle's OTA system provides flexible signing (CLI or web UI), cloud-backed keys in Google Cloud KMS, on-device verification via tuc verify-file, and transparent format with human-readable timestamps.