核心要点制品哈希与签名一同发布;校验失败禁止部署与回滚到最近可信版本。密钥轮换采用 `current` 与 `next` 双轨;设定 `kid` 与生效时间窗口。引入透明日志或可验证证书链,降低单点密钥风险。实现示例type Key = { kid: string; jwk: JsonWebKey; notBefore: number; notAfter: number }
class KeyStore {
private keys: Map<string, Key> = new Map()
add(k: Key) { this.keys.set(k.kid, k) }
get(kid: string): Key | undefined { return this.keys.get(kid) }
}
function keyUsable(k: Key, now: number, leewaySec: number): boolean {
return now + leewaySec * 1000 >= k.notBefore && now - leewaySec * 1000 <= k.notAfter
}
async function verifySignature(data: Uint8Array, signed: { kid: string; alg: string; sig: string }, ks: KeyStore, now: number): Promise<boolean> {
if (signed.alg !== 'RS256') return false
const k = ks.get(signed.kid)
if (!k || !keyUsable(k, now, 60)) return false
const key = await crypto.subtle.importKey('jwk', k.jwk, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['verify'])
return crypto.subtle.verify({ name: 'RSASSA-PKCS1-v1_5' }, key, Buffer.from(signed.sig, 'base64'), data)
}
async function sha256Hex(buf: Uint8Array): Promise<string> {
const d = await crypto.subtle.digest('SHA-256', buf)
return Buffer.from(d).toString('hex')
}
async function verifyArtifactDigest(buf: Uint8Array, expectedHexSha256: string): Promise<boolean> {
const calc = await sha256Hex(buf)
return calc.toLowerCase() === expectedHexSha256.toLowerCase()
}
发布治理发布前后双重校验:哈希匹配与签名链验证均通过方可继续。轮换窗口内同时接受 `current` 与 `next` 公钥签名;窗口外仅接受新密钥。审计记录存储签名指纹、`kid`、证书摘要与时间窗口以支持合规。
发表评论 取消回复