SLSA构建来源证明与防篡改（Provenance/Attestation）最佳实践

背景与价值SLSA来源证明记录构建者、材料与过程，配合签名可验证产物是否由可信流程生成，降低供应链风险。统一规范构建者身份：`builder.id` 必须命中白名单。材料完整性：材料列表附带哈希并在构建时校验。产物与声明签名：产物与声明均需签名并可验证。核心实现声明模型与校验type Material = { uri: string; digest: { sha256: string } } type Subject = { name: string; digest: { sha256: string } } type Predicate = { buildType: string; builder: { id: string }; materials: Material[] } type Attestation = { subject: Subject[]; predicate: Predicate; signatureB64: string } const allowBuilders = new Set(['https://ci.example.com/builder','https://github.com/actions']) function hex(s: string): boolean { return /^[a-f0-9]{64}$/i.test(s) } function attOk(a: Attestation): boolean { if (!allowBuilders.has(a.predicate.builder.id)) return false for (const m of a.predicate.materials) if (!hex(m.digest.sha256)) return false for (const s of a.subject) if (!hex(s.digest.sha256)) return false return /^[A-Za-z0-9+/=]+$/.test(a.signatureB64) } 产物哈希校验async function sha256(buf: ArrayBuffer): Promise<string> { const d = await crypto.subtle.digest('SHA-256', buf); const u = new Uint8Array(d); let s=''; for (let i=0;i<u.length;i++) s += u[i].toString(16).padStart(2,'0'); return s } async function subjectMatch(sub: Subject, art: ArrayBuffer): Promise<boolean> { const h = await sha256(art); return h.toLowerCase() === sub.digest.sha256.toLowerCase() } 签名验证占位async function importPublicKey(spki: ArrayBuffer): Promise<CryptoKey> { return crypto.subtle.importKey('spki', spki, { name: 'ECDSA', namedCurve: 'P-256' }, false, ['verify']) } function enc(s: string): Uint8Array { return new TextEncoder().encode(s) } function b64u(s: string): ArrayBuffer { const b = atob(s); const u = new Uint8Array(b.length); for (let i=0;i<b.length;i++) u[i]=b.charCodeAt(i); return u.buffer } async function verifyAttestation(a: Attestation, pub: CryptoKey): Promise<boolean> { const payload = JSON.stringify({ subject: a.subject, predicate: a.predicate }); return crypto.subtle.verify({ name: 'ECDSA', hash: 'SHA-256' }, pub, b64u(a.signatureB64), enc(payload)) } 落地建议将构建来源证明与产物一起发布，验证构建者身份、材料哈希与签名。在CI与发布门禁执行来源证明校验，失败阻断并审计。验证清单`builder.id` 是否命中白名单；材料与产物哈希是否匹配；签名是否验证成功。