From 6c627900143fae3f058cfa17b506eb3291d6aac0 Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Sun, 25 Feb 2018 22:38:03 -0800
Subject: [PATCH] Add the package validation state before adding the signature
 records (#349)

Fix https://github.com/NuGet/Engineering/issues/1186
---
 .../SignatureValidator.cs                                   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs b/src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs
index e71165fab..33d555b0b 100644
--- a/src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs
+++ b/src/Validation.PackageSigning.ExtractAndValidateSignature/SignatureValidator.cs
@@ -202,11 +202,13 @@ private async Task<SignatureValidatorResult> HandleSignedPackageAsync(
                     new ClientSigningVerificationFailure(ex.Code.ToString(), ex.Message));
             }
 
+            // Mark this package as signed. This needs to happen before the extraction due to a foreign key constraint.
+            var result = await AcceptAsync(packageKey, message, PackageSigningStatus.Valid);
+
             // Extract all of the signature artifacts and persist them.
             await _signaturePartsExtractor.ExtractAsync(packageKey, signedPackageReader, cancellationToken);
 
-            // Mark this package as signed.
-            return await AcceptAsync(packageKey, message, PackageSigningStatus.Valid);
+            return result;
         }
 
         private async Task<SignatureValidatorResult> GetVerifyResult(