Merge pull request #19231 from ariasmn/trust-local-policy

Fix `trust` not using local policy file

pkg/trust/policy.go

@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -14,6 +15,7 @@ import (
 
 	"github.com/containers/common/pkg/config"
 	"github.com/containers/image/v5/types"
+	"github.com/containers/storage/pkg/homedir"
 	"github.com/sirupsen/logrus"
 )
 
@@ -54,14 +56,22 @@ type genericRepoMap map[string]json.RawMessage
 
 // DefaultPolicyPath returns a path to the default policy of the system.
 func DefaultPolicyPath(sys *types.SystemContext) string {
+	if sys != nil && sys.SignaturePolicyPath != "" {
+		return sys.SignaturePolicyPath
+	}
+
+	userPolicyFilePath := filepath.Join(homedir.Get(), filepath.FromSlash(".config/containers/policy.json"))
+	_, err := os.Stat(userPolicyFilePath)
+	if err == nil {
+		return userPolicyFilePath
+	}
+	if !errors.Is(err, fs.ErrNotExist) {
+		logrus.Warnf("Error trying to read local config file: %s", err.Error())
+	}
+
 	systemDefaultPolicyPath := config.DefaultSignaturePolicyPath
-	if sys != nil {
+	if sys != nil && sys.RootForImplicitAbsolutePaths != "" {
-		if sys.SignaturePolicyPath != "" {
+		return filepath.Join(sys.RootForImplicitAbsolutePaths, systemDefaultPolicyPath)
-			return sys.SignaturePolicyPath
-		}
-		if sys.RootForImplicitAbsolutePaths != "" {
-			return filepath.Join(sys.RootForImplicitAbsolutePaths, systemDefaultPolicyPath)
-		}
 	}
 	return systemDefaultPolicyPath
 }