Plugins: Fix descendent frontend plugin signature validation (#28638)

* move plugin root check to earlier in validation process * remove comment * only check root if necessary

Plugins: Fix descendent frontend plugin signature validation (#28638)
* move plugin root check to earlier in validation process * remove comment * only check root if necessary
b9d71f5c · Will Browne · GitHub · 2be217e0 · b9d71f5c
Commit b9d71f5c authored Oct 29, 2020 by Will Browne Committed by GitHub Oct 29, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 6 deletions

pkg/plugins/plugins.go
+6 -6

No files found.
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@@ -373,12 +373,6 @@ func (scanner *PluginScanner) IsBackendOnlyPlugin(pluginType string) bool {
 // validateSignature validates a plugin's signature.
 func (s *PluginScanner) validateSignature(plugin *PluginBase) *PluginError {
-	// For the time being, we choose to only require back-end plugins to be signed
-	// NOTE: the state is calculated again when setting metadata on the object
-	if !plugin.Backend || !s.requireSigned {
-		return nil
-	}
 	if plugin.Signature == PluginSignatureValid {
 		s.log.Debug("Plugin has valid signature", "id", plugin.Id)
 		return nil
@@ -403,6 +397,12 @@ func (s *PluginScanner) validateSignature(plugin *PluginBase) *PluginError {
 			"state", plugin.Signature)
 	}
+	// For the time being, we choose to only require back-end plugins to be signed
+	// NOTE: the state is calculated again when setting metadata on the object
+	if !plugin.Backend || !s.requireSigned {
+		return nil
+	}
 	switch plugin.Signature {
 	case PluginSignatureUnsigned:
 		allowUnsigned := false