From 2889e44ce1e6700ab4313c36363e7cd4d978ef65 Mon Sep 17 00:00:00 2001
From: Trishank K Kuppusamy <trishank.kuppusamy@datadoghq.com>
Date: Thu, 6 Feb 2020 17:42:17 -0500
Subject: [PATCH] registry-then-notary instead of other way around

Signed-off-by: Trishank K Kuppusamy <trishank.kuppusamy@datadoghq.com>
---
 cmd/sign.go | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/cmd/sign.go b/cmd/sign.go
index b477639..eb6d0ef 100644
--- a/cmd/sign.go
+++ b/cmd/sign.go
@@ -109,16 +109,21 @@ func (s *signCmd) run() error {
 		cm = &custom
 	}
 
+	// NOTE: We first push to the Registry, and then Notary. This is so that if we modify the bundle locally,
+	// we will not invalidate its signature by first pushing to Notary, and then the Registry.
+
+	// We push only thin bundles to the Registry.
+	if !s.thick {
+		if err := cnab.Push(s.file, s.ref); err != nil {
+			return err
+		}
+	}
+
 	target, err := tuf.SignAndPublish(trustDir, trustServer, s.ref, s.file, tlscacert, s.rootKey, timeout, cm)
 	if err != nil {
 		return fmt.Errorf("cannot sign and publish trust data: %v", err)
 	}
 
 	log.Infof("Pushed trust data for %v: %v\n", s.ref, hex.EncodeToString(target.Hashes["sha256"]))
-
-	if s.thick {
-		return nil
-	}
-
-	return cnab.Push(s.file, s.ref)
+	return nil
 }