核心要点制品哈希与签名一同发布;校验失败禁止部署与回滚到最近可信版本。密钥轮换采用 `current` 与 `next` 双轨;设定 `kid` 与生效时间窗口。引入透明日志或可验证证书链,降低单点密钥风险。实现示例type Key = { kid: string; jwk: JsonWebKey; notBefore: number; notAfter: number } class KeyStore { private keys: Map<string, Key> = new Map() add(k: Key) { this.keys.set(k.kid, k) } get(kid: string): Key | undefined { return this.keys.get(kid) } } function keyUsable(k: Key, now: number, leewaySec: number): boolean { return now + leewaySec * 1000 >= k.notBefore && now - leewaySec * 1000 <= k.notAfter } async function verifySignature(data: Uint8Array, signed: { kid: string; alg: string; sig: string }, ks: KeyStore, now: number): Promise<boolean> { if (signed.alg !== 'RS256') return false const k = ks.get(signed.kid) if (!k || !keyUsable(k, now, 60)) return false const key = await crypto.subtle.importKey('jwk', k.jwk, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['verify']) return crypto.subtle.verify({ name: 'RSASSA-PKCS1-v1_5' }, key, Buffer.from(signed.sig, 'base64'), data) } async function sha256Hex(buf: Uint8Array): Promise<string> { const d = await crypto.subtle.digest('SHA-256', buf) return Buffer.from(d).toString('hex') } async function verifyArtifactDigest(buf: Uint8Array, expectedHexSha256: string): Promise<boolean> { const calc = await sha256Hex(buf) return calc.toLowerCase() === expectedHexSha256.toLowerCase() } 发布治理发布前后双重校验:哈希匹配与签名链验证均通过方可继续。轮换窗口内同时接受 `current` 与 `next` 公钥签名;窗口外仅接受新密钥。审计记录存储签名指纹、`kid`、证书摘要与时间窗口以支持合规。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复