From 7451299a5aab930cc52ae3216d97d00270c3015c Mon Sep 17 00:00:00 2001
From: fiftydinar <65243233+fiftydinar@users.noreply.github.com>
Date: Mon, 16 Dec 2024 22:59:57 +0100
Subject: [PATCH] fix(signing): Regression in scenario when `policy.json`
 doesn't exist in the image

`policy.json` template should be copied in that case, while existing `policy.json` should remain.
---
 modules/signing/signing.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh
index 77b049e..3fbfe0d 100644
--- a/modules/signing/signing.sh
+++ b/modules/signing/signing.sh
@@ -29,6 +29,7 @@ if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then
 fi
 
 TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json"
+
 # Copy policy.json to '/usr/etc/containers/' on Universal Blue based images
 # until they solve the issue by copying 'policy.json' to '/etc/containers/' instead
 if rpm -q ublue-os-signing &>/dev/null; then
@@ -40,6 +41,10 @@ else
   POLICY_FILE="${CONTAINER_DIR}/policy.json"
 fi
 
+if ! [ -f "${POLICY_FILE}" ]; then
+  cp "${TEMPLATE_POLICY}" "${POLICY_FILE}"
+fi
+
 jq --arg image_registry "${IMAGE_REGISTRY}" \
    --arg image_name "${IMAGE_NAME}" \
    --arg image_name_file "${IMAGE_NAME_FILE}" \
@@ -52,7 +57,9 @@ jq --arg image_registry "${IMAGE_REGISTRY}" \
                 "type": "matchRepository"
             }
         }
-    ] } + .' "${TEMPLATE_POLICY}" > "${POLICY_FILE}"
+    ] } + .' "${POLICY_FILE}" > "/tmp/POLICY.tmp"
+
+mv "/tmp/POLICY.tmp" "${POLICY_FILE}"
 
 mv "${MODULE_DIRECTORY}/signing/registry-config.yaml" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml"
 sed -i "s ghcr.io/IMAGENAME ${IMAGE_REGISTRY} g" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml"