Sigstore透明日志验证与发行方治理（Rekor-Fulcio-时间窗口）最佳实践

实现示例type RekorEntry = { logID: string; bodySha256: string; sigAlg: 'RS256'; sigB64: string; integratedTime: number }

type Issuer = { cn: string; uri: string }

function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) }

function b64(s: string): boolean { return /^[A-Za-z0-9+/=]+$/.test(s) }

function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false; return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires }

function validIssuer(i: Issuer, allowHosts: Set<string>): boolean { try { const u = new URL(i.uri); return !!i.cn && u.protocol === 'https:' && allowHosts.has(u.host) } catch { return false } }

function validEntry(e: RekorEntry): boolean { return !!e.logID && hex64(e.bodySha256) && e.sigAlg === 'RS256' && b64(e.sigB64) && e.integratedTime > 0 }

function accept(e: RekorEntry, i: Issuer, now: number, allowHosts: Set<string>, windowDays: number): boolean { if (!validEntry(e)) return false; if (!validIssuer(i, allowHosts)) return false; const start = e.integratedTime * 1000; const end = start + windowDays * 24 * 60 * 60 * 1000; return within(start, end, now, 60) }

审计与发布治理审计记录透明日志条目与发行方信息；超过时间窗口或不合规即阻断。仅接受受信发行方域名；策略变更需审批与归档。