fetch timestamps before submitting to rekor

CHANGELOG.md

@@ -67,6 +67,8 @@ All versions prior to 0.9.0 are untracked.
   configure the used Sigstore instance [#1358]/(https://github.com/sigstore/sigstore-python/pull/1358)
 * By default (when `--trust-config` is not used) the whole trust configuration now
   comes from the TUF repository [#1363](https://github.com/sigstore/sigstore-python/pull/1363)
+* If the user provided TSA urls, rfc3161 timestamps are now fetched **before** submitting
+  entries to rekor. [#1463](https://github.com/sigstore/sigstore-python/pull/1463)
 
 ### Removed
  * API:

sigstore/sign.py

@@ -178,11 +178,6 @@ def _finalize_sign(
         """
         Perform the common "finalizing" steps in a Sigstore signing flow.
         """
-        # Submit the proposed entry to the transparency log
-        entry = self._signing_ctx._rekor.create_entry(proposed_entry)
-
-        _logger.debug(f"Transparency log entry created with index: {entry.log_index}")
-
         # If the user provided TSA urls, timestamps the response
         signed_timestamp = []
         for tsa_client in self._signing_ctx._tsa_clients:
@@ -193,6 +188,10 @@ def _finalize_sign(
                     f"Unable to use {tsa_client.url} to timestamp the bundle. Failed with {e}"
                 )
 
+        # Submit the proposed entry to the transparency log
+        entry = self._signing_ctx._rekor.create_entry(proposed_entry)
+        _logger.debug(f"Transparency log entry created with index: {entry.log_index}")
+
         return Bundle._from_parts(cert, content, entry, signed_timestamp)
 
     def sign_dsse(