Git提交签名与保护分支治理（GPG-校验-强制）最佳实践

核心要点允许签名类型与算法白名单：`OpenPGP`/`SSH`，`RSA`/`ED25519`。时间窗口与密钥 `kid` 校验；禁止过期或未知密钥提交进入保护分支。保护分支合并需通过状态检查与双人审批。实现示例type SigMeta = { type: 'OpenPGP' | 'SSH'; alg: 'RSA' | 'ED25519'; kid?: string } type Commit = { id: string; author: string; time: number; sig?: SigMeta } function validSig(sig?: SigMeta): boolean { if (!sig) return false if (!['OpenPGP','SSH'].includes(sig.type)) return false if (!['RSA','ED25519'].includes(sig.alg)) return false return true } function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires } function allowMerge(commits: Commit[], keyValid: (kid?: string) => { ok: boolean; notBefore: number; notAfter: number }, now: number): boolean { for (const c of commits) { if (!validSig(c.sig)) return false const kv = keyValid(c.sig?.kid) if (!kv.ok || !within(kv.notBefore, kv.notAfter, now, 60)) return false } return commits.length > 0 } 审计与运行治理审计记录提交 `id`、`kid`、签名类型与时间窗口；保护分支变更需审批。状态检查失败或签名不合规的合并请求直接拒绝。