Harbor镜像签名与策略治理（签名-策略）最佳实践

实现示例type Sig = { alg: 'RS256'; kid: string; b64: string }

type Image = { project: string; repo: string; tag: string; digest: string }

type Policy = { allowProjects: Set<string>; allowKids: Set<string> }

function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) }

function b64(s: string): boolean { return /^[A-Za-z0-9+/=]+$/.test(s) }

function validImage(i: Image, p: Policy): boolean { return p.allowProjects.has(i.project) && !!i.repo && !!i.tag && hex64(i.digest) }

function validSig(s: Sig, p: Policy): boolean { return s.alg === 'RS256' && p.allowKids.has(s.kid) && b64(s.b64) }

function allowPull(i: Image, s: Sig, p: Policy): boolean { return validImage(i, p) && validSig(s, p) }

审计与运行治理审计签名密钥与项目、摘要；不合规阻断并回退。策略变更需审批与归档。