fix(signing): Regression in scenario when policy.json doesn't exist…

… in the image `policy.json` template should be copied in that case, while existing `policy.json` should remain.
blue-build · Dec 16, 2024 · 7451299 · 7451299
1 parent 23e3611
commit 7451299
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh
@@ -29,6 +29,7 @@ if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then
 fi
 
 TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json"
+
 # Copy policy.json to '/usr/etc/containers/' on Universal Blue based images
 # until they solve the issue by copying 'policy.json' to '/etc/containers/' instead
 if rpm -q ublue-os-signing &>/dev/null; then
@@ -40,6 +41,10 @@ else
   POLICY_FILE="${CONTAINER_DIR}/policy.json"
 fi
 
+if ! [ -f "${POLICY_FILE}" ]; then
+  cp "${TEMPLATE_POLICY}" "${POLICY_FILE}"
+fi
+
 jq --arg image_registry "${IMAGE_REGISTRY}" \
    --arg image_name "${IMAGE_NAME}" \
    --arg image_name_file "${IMAGE_NAME_FILE}" \
@@ -52,7 +57,9 @@ jq --arg image_registry "${IMAGE_REGISTRY}" \
                 "type": "matchRepository"
             }
         }
-    ] } + .' "${TEMPLATE_POLICY}" > "${POLICY_FILE}"
+    ] } + .' "${POLICY_FILE}" > "/tmp/POLICY.tmp"
+
+mv "/tmp/POLICY.tmp" "${POLICY_FILE}"
 
 mv "${MODULE_DIRECTORY}/signing/registry-config.yaml" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml"
 sed -i "s ghcr.io/IMAGENAME ${IMAGE_REGISTRY} g" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml"