Merge pull request #15870 from idleroamer/podman-save

podman-save: Add signature-policy flag

4 files changed, 17 insertions, 1 deletions

diff --git a/cmd/podman/images/save.go b/cmd/podman/images/save.go
index ecff0f841..426684d49 100644
--- a/cmd/podman/images/save.go
+++ b/cmd/podman/images/save.go
@@ -96,6 +96,11 @@ func saveFlags(cmd *cobra.Command) {
 
 	flags.BoolVarP(&saveOpts.Quiet, "quiet", "q", false, "Suppress the output")
 	flags.BoolVarP(&saveOpts.MultiImageArchive, "multi-image-archive", "m", containerConfig.Engine.MultiImageArchive, "Interpret additional arguments as images not tags and create a multi-image-archive (only for docker-archive)")
+
+	if !registry.IsRemote() {
+		flags.StringVar(&saveOpts.SignaturePolicy, "signature-policy", "", "Path to a signature-policy file")
+		_ = flags.MarkHidden("signature-policy")
+	}
 }
 
 func save(cmd *cobra.Command, args []string) (finalErr error) {
diff --git a/pkg/domain/entities/images.go b/pkg/domain/entities/images.go
index cad11b0ab..b1eb3b005 100644
--- a/pkg/domain/entities/images.go
+++ b/pkg/domain/entities/images.go
@@ -335,7 +335,8 @@ type ImageSaveOptions struct {
 	// Output - write image to the specified path.
 	Output string
 	// Quiet - suppress output when copying images
-	Quiet bool
+	Quiet           bool
+	SignaturePolicy string
 }
 
 // ImageScpOptions provide options for securely copying images to and from a remote host
diff --git a/pkg/domain/infra/abi/images.go b/pkg/domain/infra/abi/images.go
index 9ea09e1ec..16b75829f 100644
--- a/pkg/domain/infra/abi/images.go
+++ b/pkg/domain/infra/abi/images.go
@@ -405,6 +405,7 @@ func (ir *ImageEngine) Save(ctx context.Context, nameOrID string, tags []string,
 	saveOptions := &libimage.SaveOptions{}
 	saveOptions.DirForceCompress = options.Compress
 	saveOptions.OciAcceptUncompressedLayers = options.OciAcceptUncompressedLayers
+	saveOptions.SignaturePolicyPath = options.SignaturePolicy
 
 	// Force signature removal to preserve backwards compat.
 	// See https://github.com/containers/podman/pull/11669#issuecomment-925250264
diff --git a/test/e2e/save_test.go b/test/e2e/save_test.go
index f6a06d0ff..db353c036 100644
--- a/test/e2e/save_test.go
+++ b/test/e2e/save_test.go
@@ -45,6 +45,15 @@ var _ = Describe("Podman save", func() {
 		Expect(save).Should(Exit(0))
 	})
 
+	It("podman save signature-policy flag", func() {
+		SkipIfRemote("--signature-policy N/A for remote")
+		outfile := filepath.Join(podmanTest.TempDir, "alpine.tar")
+
+		save := podmanTest.Podman([]string{"save", "--signature-policy", "/etc/containers/policy.json", "-o", outfile, ALPINE})
+		save.WaitWithDefaultTimeout()
+		Expect(save).Should(Exit(0))
+	})
+
 	It("podman save oci flag", func() {
 		outfile := filepath.Join(podmanTest.TempDir, "alpine.tar")