diff --git a/pkg/machine/ocipull/policy.go b/pkg/machine/ocipull/policy.go new file mode 100644 index 0000000000..aab3b81dda --- /dev/null +++ b/pkg/machine/ocipull/policy.go @@ -0,0 +1,47 @@ +package ocipull + +import ( + "fmt" + "os" + "path/filepath" +) + +// DefaultPolicyJSONPath should be overwritten at build time with the real path to the directory where +// the shipped policy.json file is located. This can either be absolute path or a relative path. If it +// is relative it will be resolved relative to the podman binary and NOT the CWD. +// +// use "-X github.com/containers/podman/v5/pkg/machine/ocipull.DefaultPolicyJSONPath=/somepath" in go ldflags to overwrite this +var DefaultPolicyJSONPath = "" + +const policyfile = "policy.json" + +type defaultPolicyError struct { + errs []error +} + +func (e *defaultPolicyError) Error() string { + return fmt.Sprintf("no DefaultPolicyJSONPath defined and no local overwrites found: %q", e.errs) +} + +func policyPath() (string, error) { + paths := localPolicyOverwrites() + errs := make([]error, 0, len(paths)) + for _, path := range paths { + _, err := os.Stat(path) + if err == nil { + return path, nil + } + errs = append(errs, err) + } + if DefaultPolicyJSONPath != "" { + if filepath.IsAbs(DefaultPolicyJSONPath) { + return filepath.Join(DefaultPolicyJSONPath, policyfile), nil + } + p, err := os.Executable() + if err != nil { + return "", fmt.Errorf("could not resolve relative path to binary: %w", err) + } + return filepath.Join(p, DefaultPolicyJSONPath, policyfile), nil + } + return "", &defaultPolicyError{errs: errs} +} diff --git a/pkg/machine/ocipull/policy_unix.go b/pkg/machine/ocipull/policy_unix.go new file mode 100644 index 0000000000..2fd0443583 --- /dev/null +++ b/pkg/machine/ocipull/policy_unix.go @@ -0,0 +1,19 @@ +//go:build !windows + +package ocipull + +import ( + "path/filepath" + + "github.com/containers/common/pkg/config" + "github.com/containers/storage/pkg/homedir" +) + +func localPolicyOverwrites() []string { + var dirs []string + if p, err := homedir.GetConfigHome(); err == nil { + dirs = append(dirs, filepath.Join(p, "containers", policyfile)) + } + dirs = append(dirs, config.DefaultSignaturePolicyPath) + return dirs +} diff --git a/pkg/machine/ocipull/policy_windows.go b/pkg/machine/ocipull/policy_windows.go new file mode 100644 index 0000000000..3a1c31932c --- /dev/null +++ b/pkg/machine/ocipull/policy_windows.go @@ -0,0 +1,10 @@ +package ocipull + +import ( + "os" + "path/filepath" +) + +func localPolicyOverwrites() []string { + return []string{filepath.Join(os.Getenv("APPDATA"), "containers", policyfile)} +} diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go index e484964da7..dce8147d9d 100644 --- a/pkg/machine/ocipull/pull.go +++ b/pkg/machine/ocipull/pull.go @@ -44,9 +44,14 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d sysCtx.DockerAuthConfig = authConf } - policy, err := signature.DefaultPolicy(sysCtx) + path, err := policyPath() if err != nil { - return fmt.Errorf("obtaining default signature policy: %w", err) + return err + } + + policy, err := signature.NewPolicyFromFile(path) + if err != nil { + return fmt.Errorf("obtaining signature policy: %w", err) } policyContext, err := signature.NewPolicyContext(policy) if err != nil {