Cosign无密钥签名OIDC声明治理（subject-issuer-时间窗）最佳实践

实现示例type Claims = { iss: string; sub: string; iat: number; exp: number; email?: string; repo?: string } function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false; return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires } function validIssuer(iss: string, allow: Set<string>): boolean { try { const u = new URL(iss); return u.protocol === 'https:' && allow.has(u.origin) } catch { return false } } function validSubject(sub: string, allowSubs: RegExp): boolean { return allowSubs.test(sub) } function evaluate(c: Claims, policy: { allowIss: Set<string>; allowSub: RegExp; maxTtlSec: number }): { ok: boolean; errors: string[] } { const errors: string[] = [] const now = Date.now() if (!validIssuer(c.iss, policy.allowIss)) errors.push('iss') if (!validSubject(c.sub, policy.allowSub)) errors.push('sub') const iat = c.iat * 1000 const exp = c.exp * 1000 if (!within(iat, exp, now, 60)) errors.push('time') if ((exp - iat) > policy.maxTtlSec * 1000) errors.push('ttl') return { ok: errors.length === 0, errors } } 审计与发布治理审计发行方与主体、时间窗口与 TTL；异常阻断并回退到可信签名。策略变更需审批与归档。