NuGet包来源与签名治理（sources-签名-哈希）最佳实践

实现示例type NuDep = { id: string; version: string; source: string; sha256: string; sig?: { alg: 'RS256'; b64: string } } const allowHosts = new Set<string>(['api.nuget.org','nuget.example.com']) function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) } function b64(s: string): boolean { return /^[A-Za-z0-9+/=]+$/.test(s) } function validSource(u: string): boolean { try { const x = new URL(u); return x.protocol === 'https:' && allowHosts.has(x.host) } catch { return false } } function semverLike(v: string): boolean { return /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) } function evaluate(list: NuDep[]): { ok: boolean; errors: string[] } { const errors: string[] = [] for (const d of list) { if (!d.id || !semverLike(d.version)) errors.push(`id:${d.id}`) if (!validSource(d.source)) errors.push(`source:${d.id}`) if (!hex64(d.sha256)) errors.push(`hash:${d.id}`) if (d.sig && (d.sig.alg !== 'RS256' || !b64(d.sig.b64))) errors.push(`sig:${d.id}`) } return { ok: errors.length === 0, errors } } 审计与CI门禁审计来源域与哈希/签名；异常阻断并回退。变更需审批与归档，支持快速回溯。