registry-then-notary instead of other way around

Signed-off-by: Trishank K Kuppusamy <trishank.kuppusamy@datadoghq.com>
cnabio · Feb 6, 2020 · 2889e44 · 2889e44
1 parent a859999
commit 2889e44
Showing 1 changed file with 11 additions and 6 deletions.
diff --git a/cmd/sign.go b/cmd/sign.go
@@ -109,16 +109,21 @@ func (s *signCmd) run() error {
 		cm = &custom
 	}
 
+	// NOTE: We first push to the Registry, and then Notary. This is so that if we modify the bundle locally,
+	// we will not invalidate its signature by first pushing to Notary, and then the Registry.
+
+	// We push only thin bundles to the Registry.
+	if !s.thick {
+		if err := cnab.Push(s.file, s.ref); err != nil {
+			return err
+		}
+	}
+
 	target, err := tuf.SignAndPublish(trustDir, trustServer, s.ref, s.file, tlscacert, s.rootKey, timeout, cm)
 	if err != nil {
 		return fmt.Errorf("cannot sign and publish trust data: %v", err)
 	}
 
 	log.Infof("Pushed trust data for %v: %v\n", s.ref, hex.EncodeToString(target.Hashes["sha256"]))
-
-	if s.thick {
-		return nil
-	}
-
-	return cnab.Push(s.file, s.ref)
+	return nil
 }