Sigstore透明日志验证与发行方治理（Rekor-Fulcio-时间窗口）最佳实践

实现示例type RekorEntry = { logID: string; bodySha256: string; sigAlg: 'RS256'; sigB64: string; integratedTime: number } type Issuer = { cn: string; uri: string } function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) } function b64(s: string): boolean { return /^[A-Za-z0-9+/=]+$/.test(s) } function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false; return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires } function validIssuer(i: Issuer, allowHosts: Set<string>): boolean { try { const u = new URL(i.uri); return !!i.cn && u.protocol === 'https:' && allowHosts.has(u.host) } catch { return false } } function validEntry(e: RekorEntry): boolean { return !!e.logID && hex64(e.bodySha256) && e.sigAlg === 'RS256' && b64(e.sigB64) && e.integratedTime > 0 } function accept(e: RekorEntry, i: Issuer, now: number, allowHosts: Set<string>, windowDays: number): boolean { if (!validEntry(e)) return false; if (!validIssuer(i, allowHosts)) return false; const start = e.integratedTime * 1000; const end = start + windowDays * 24 * 60 * 60 * 1000; return within(start, end, now, 60) } 审计与发布治理审计记录透明日志条目与发行方信息；超过时间窗口或不合规即阻断。仅接受受信发行方域名；策略变更需审批与归档。