chore: 除了开启签名外，验证脚本也通过

scripts/patch_tools/install_patch_system.sh

@@ -5,6 +5,7 @@ set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 INSTALL_DIR="/opt/patch-management"
+CONFIG_FILE="${SCRIPT_DIR}/patch_config.sh"
 
 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"; }
 info() { log "INFO: $1"; }
@@ -62,6 +63,17 @@ get_cmd_prefix() {
     fi
 }
 
+# 配置加载
+load_config() {
+    if [[ ! -f "$CONFIG_FILE" ]]; then
+        error "配置文件不存在: $CONFIG_FILE"
+        exit 1
+    fi
+
+    source "$CONFIG_FILE"
+    info "配置文件加载完成"
+}
+
 install_dependencies() {
     info "安装系统依赖..."
     
@@ -185,6 +197,30 @@ setup_cron() {
     fi
 }
 
+generate_gpg_key() {
+    local name="${1:-John Doe}"
+    local email="${2:-johndoe@example.com}"
+    local key_type="${3:-RSA}"
+    local key_length="${4:-4096}"
+    
+    cat > /tmp/gpg_batch << EOF
+Key-Type: $key_type
+Key-Length: $key_length
+Subkey-Type: $key_type
+Subkey-Length: $key_length
+Name-Real: $name
+Name-Email: $email
+Expire-Date: 0
+%commit
+EOF
+
+    gpg --batch --generate-key /tmp/gpg_batch
+    rm -f /tmp/gpg_batch
+    
+    echo "✅ 密钥生成完成"
+    gpg --list-secret-keys --keyid-format LONG "$email"
+}
+
 generate_keys() {
     info "生成签名密钥..."
     
@@ -194,6 +230,9 @@ generate_keys() {
     
     if [[ ! -f "$key_dir/private.pem" ]]; then
         $sudo_prefix mkdir -p "$key_dir"
+
+        # 生成GPG密钥对
+        generate_gpg_key "$PATCH_AUTHOR" "$PATCH_EMAIL" "RSA" "4096"
         
         # 生成RSA密钥对
         openssl genrsa -out "$key_dir/private.pem" 4096
@@ -211,6 +250,10 @@ generate_keys() {
 main() {
     info "开始安装企业级补丁管理系统"
     echo "========================================"
+    echo "📋 安装配置文件: $INSTALL_DIR/patch_config.sh"
+
+    # 加载配置
+    load_config
     
     # 检查运行环境
     if is_docker_environment; then

scripts/patch_tools/patch_verifier.sh

@@ -165,21 +165,23 @@ verify_security() {
     fi
     
     # 签名验证
-    if [[ -f "${package_path}.sig" ]]; then
+    if [[ "$SIGNING_ENABLED" == "true" ]] ;then
-        if command -v gpg >/dev/null 2>&1; then
+        if [[ -f "${package_path}.sig" ]]; then
-            if gpg --verify "${package_path}.sig" "$package_path" >/dev/null 2>&1; then
+            if command -v gpg >/dev/null 2>&1; then
-                info "✅ 签名验证通过"
+                if gpg --verify "${package_path}.sig" "$package_path" >/dev/null 2>&1; then
+                    info "✅ 签名验证通过"
+                else
+                    error "❌ 签名验证失败"
+                    result=false
+                fi
             else
-                error "❌ 签名验证失败"
+                warn "⚠️  GPG未安装，跳过签名验证"
-                result=false
             fi
         else
-            warn "⚠️  GPG未安装，跳过签名验证"
+            warn "⚠️  未找到签名文件"
-        fi
+        fi    
-    else
-        warn "⚠️  未找到签名文件"
     fi
-    
+
     $result
 }
 
@@ -192,6 +194,7 @@ verify_content() {
     
     # 解压补丁包
     local extract_dir="$TEMP_DIR/extract"
+    mkdir -p "$extract_dir"
     if ! tar -xzf "$package_path" -C "$extract_dir"; then
         error "❌ 补丁包解压失败"
         return false