From b9d71f5cddd88a150c3655e5f578e30001617feb Mon Sep 17 00:00:00 2001
From: Will Browne <wbrowne@users.noreply.github.com>
Date: Thu, 29 Oct 2020 15:03:37 +0100
Subject: [PATCH] Plugins: Fix descendent frontend plugin signature validation
 (#28638)

* move plugin root check to earlier in validation process

* remove comment

* only check root if necessary
---
 pkg/plugins/plugins.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
index 0cffde11c10..0e64fed1b1c 100644
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@@ -373,12 +373,6 @@ func (scanner *PluginScanner) IsBackendOnlyPlugin(pluginType string) bool {
 
 // validateSignature validates a plugin's signature.
 func (s *PluginScanner) validateSignature(plugin *PluginBase) *PluginError {
-	// For the time being, we choose to only require back-end plugins to be signed
-	// NOTE: the state is calculated again when setting metadata on the object
-	if !plugin.Backend || !s.requireSigned {
-		return nil
-	}
-
 	if plugin.Signature == PluginSignatureValid {
 		s.log.Debug("Plugin has valid signature", "id", plugin.Id)
 		return nil
@@ -403,6 +397,12 @@ func (s *PluginScanner) validateSignature(plugin *PluginBase) *PluginError {
 			"state", plugin.Signature)
 	}
 
+	// For the time being, we choose to only require back-end plugins to be signed
+	// NOTE: the state is calculated again when setting metadata on the object
+	if !plugin.Backend || !s.requireSigned {
+		return nil
+	}
+
 	switch plugin.Signature {
 	case PluginSignatureUnsigned:
 		allowUnsigned := false