diff --git a/commit.go b/commit.go
index 05d1550b3..99b307305 100644
--- a/commit.go
+++ b/commit.go
@@ -106,6 +106,22 @@ type PushOptions struct {
 	Quiet bool
 }
 
+var (
+	// commitPolicy bypasses any signing requirements when committing containers to images
+	commitPolicy = &signature.Policy{
+		Default: []signature.PolicyRequirement{signature.NewPRReject()},
+		Transports: map[string]signature.PolicyTransportScopes{
+			is.Transport.Name(): {
+				"": []signature.PolicyRequirement{
+					signature.NewPRInsecureAcceptAnything(),
+				},
+			},
+		},
+	}
+	// pushPolicy bypasses any signing requirements when pushing (copying) images from local storage
+	pushPolicy = commitPolicy
+)
+
 // Commit writes the contents of the container, along with its updated
 // configuration, to a new image in the specified location, and if we know how,
 // add any additional tags that were specified. Returns the ID of the new image
@@ -141,11 +157,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 		return "", nil, "", errors.Errorf("commit access to registry for %q is blocked by configuration", transports.ImageName(dest))
 	}
 
-	policy, err := signature.DefaultPolicy(systemContext)
-	if err != nil {
-		return imgID, nil, "", errors.Wrapf(err, "error obtaining default signature policy")
-	}
-	policyContext, err := signature.NewPolicyContext(policy)
+	policyContext, err := signature.NewPolicyContext(commitPolicy)
 	if err != nil {
 		return imgID, nil, "", errors.Wrapf(err, "error creating new signature policy context")
 	}
@@ -280,11 +292,7 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
 		return nil, "", errors.Errorf("push access to registry for %q is blocked by configuration", transports.ImageName(dest))
 	}
 
-	policy, err := signature.DefaultPolicy(systemContext)
-	if err != nil {
-		return nil, "", errors.Wrapf(err, "error obtaining default signature policy")
-	}
-	policyContext, err := signature.NewPolicyContext(policy)
+	policyContext, err := signature.NewPolicyContext(pushPolicy)
 	if err != nil {
 		return nil, "", errors.Wrapf(err, "error creating new signature policy context")
 	}
diff --git a/tests/bud.bats b/tests/bud.bats
index 102229abc..3b186d29c 100644
--- a/tests/bud.bats
+++ b/tests/bud.bats
@@ -1194,6 +1194,7 @@ load helpers
   run_buildah --debug=false bud --signature-policy ${TESTSDIR}/policy.json -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
   expect_output --substring "/testdir"
 }
+
 @test "bud-copy-dot with --layers picks up changed file" {
   cp -a ${TESTSDIR}/bud/use-layers ${TESTDIR}/use-layers
 
@@ -1211,3 +1212,29 @@ load helpers
 
   buildah rmi -a -f
 }
+
+@test "buildah-bud-policy" {
+  target=foo
+
+  # A deny-all policy should prevent us from pulling the base image.
+  run_buildah '?' bud --signature-policy ${TESTSDIR}/deny.json -t ${target} -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
+  [ "$status" -ne 0 ]
+  expect_output --substring 'Source image rejected: Running image .* rejected by policy.'
+  run_buildah rmi -a -f
+
+  # A docker-only policy should allow us to pull the base image and commit.
+  run_buildah bud --signature-policy ${TESTSDIR}/docker.json -t ${target} -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
+  # A deny-all policy shouldn't break pushing.
+  run_buildah push --signature-policy ${TESTSDIR}/deny.json ${target} dir:${TESTDIR}/mount
+  run_buildah rmi -a -f
+
+  # A docker-only policy should allow us to pull the base image first...
+  run_buildah pull --signature-policy ${TESTSDIR}/docker.json alpine
+  # ... and since we don't need to pull the base image, a deny-all policy shouldn't break a build.
+  run_buildah bud --signature-policy ${TESTSDIR}/deny.json -t ${target} -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
+  # A deny-all policy shouldn't break pushing.
+  run_buildah push --signature-policy ${TESTSDIR}/deny.json ${target} dir:${TESTDIR}/mount
+  # A deny-all policy shouldn't break committing directly to other storage.
+  run_buildah bud --signature-policy ${TESTSDIR}/deny.json -t dir:${TESTDIR}/mount -v ${TESTSDIR}:/testdir ${TESTSDIR}/bud/mount
+  run_buildah rmi -a -f
+}
diff --git a/tests/deny.json b/tests/deny.json
new file mode 100644
index 000000000..3dcc4d7f9
--- /dev/null
+++ b/tests/deny.json
@@ -0,0 +1,7 @@
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ]
+}
diff --git a/tests/docker.json b/tests/docker.json
new file mode 100644
index 000000000..ca1d5c6bc
--- /dev/null
+++ b/tests/docker.json
@@ -0,0 +1,6 @@
+{
+    "default": [ { "type": "reject" } ],
+    "transports": {
+        "docker": { "": [ { "type": "insecureAcceptAnything" } ] }
+    }
+}