Helm Chart签名与来源治理（provenance-签名-白名单）最佳实践

实现示例type Chart = { name: string; version: string; digest: string; repo: string } type Prov = { alg: 'RS256'; kid: string; sigB64: string; created: number; expires: number } const allowRepos = new Set<string>(['https://charts.example.com','https://artifacthub.io']) function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) } function b64(s: string): boolean { return /^[A-Za-z0-9+/=]+$/.test(s) } function validRepo(u: string): boolean { try { const x = new URL(u); return x.protocol === 'https:' && allowRepos.has(x.origin) } catch { return false } } function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false; return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires } function evaluate(chart: Chart, prov: Prov, now: number): { ok: boolean; errors: string[] } { const errors: string[] = [] if (!chart.name || !chart.version || !hex64(chart.digest) || !validRepo(chart.repo)) errors.push('chart') if (prov.alg !== 'RS256' || !prov.kid || !b64(prov.sigB64)) errors.push('prov') if (!within(prov.created, prov.expires, now, 60)) errors.push('time') return { ok: errors.length === 0, errors } } 审计与发布治理审计 Chart 摘要与签名、仓库来源与时间窗口；异常阻断并回退。仅接受受控仓库与合法签名的 Chart。