GitHub Release资产签名与校验治理（Checksum-签名-时间窗）最佳实践

---

title: GitHub Release资产签名与校验治理（Checksum-签名-时间窗）最佳实践

keywords:

• Release
• 资产签名
• Checksum
• 时间窗口
• 审计

description: 对 GitHub Release 资产执行 SHA-256 摘要与签名校验、时间窗口治理，保障下载制品的完整与可信。

categories:

• 文章资讯
• 技术教程

---

实现示例

type Asset = { name: string; sha256: string; url: string }
type Sig = { alg: 'RS256'; kid: string; b64: string; created: number; expires: number }

function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) }
function b64(s: string): boolean { return /^[A-Za-z0-9+/=]+$/.test(s) }
function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false; return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires }

function evaluate(a: Asset, s: Sig, now: number): { ok: boolean; errors: string[] } {
  const errors: string[] = []
  if (!a.name || !hex64(a.sha256) || !/^https:\/\//.test(a.url)) errors.push('asset')
  if (s.alg !== 'RS256' || !s.kid || !b64(s.b64)) errors.push('sig')
  if (!within(s.created, s.expires, now, 60)) errors.push('time')
  return { ok: errors.length === 0, errors }
}

审计与发布治理

• 审计资产摘要与签名、时间窗口；异常阻断并回退到最近可信版本。
• 变更需审批与归档。