image-rs: allow image when no signature rule covers

Xynnn007 · Xynnn007 · commit f09d8b758b6c · 2025-05-13T13:17:24.000+08:00
If the policy file has no rules for a specific image, the image should
be allowed rather than raise an error. This is common when there is no
default rules for the policy.

Signed-off-by: Xynnn007 &lt;xynnn@linux.alibaba.com&gt;
diff --git a/image-rs/src/signature/mod.rs b/image-rs/src/signature/mod.rs
@@ -139,7 +139,8 @@ impl SignatureValidator {
         // Get the policy set that matches the image.
         let reqs = self.policy.requirements_for_image(&image);
         if reqs.is_empty() {
-            bail!("List of verification policy requirements must not be empty");
+            // Note that if no policy covers the image, the image is considered to be allowed.
+            return Ok(());
         }
 
         // The image must meet the requirements of each policy in the policy set.

Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,8 @@ impl SignatureValidator {`
`139`	`139`	`// Get the policy set that matches the image.`
`140`	`140`	`let reqs = self.policy.requirements_for_image(&image);`
`141`	`141`	`if reqs.is_empty() {`
`142`		`- bail!("List of verification policy requirements must not be empty");`
	`142`	`+ // Note that if no policy covers the image, the image is considered to be allowed.`
	`143`	`+ return Ok(());`
`143`	`144`	`}`
`144`	`145`
`145`	`146`	`// The image must meet the requirements of each policy in the policy set.`