diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2195732..67c86a8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@
  * Support for detecting Docker and Podman images and enforcing their presence (by SHA256 hash).
  * Add support for detecting Flatpaks and Snaps.
  * Stricter validation of harvests to ensure that they meet the schema and don't contain unsafe artifacts (e.g symlinks pointing outside the artifact tree)
+ * Perform harvest validation before trying to manifest from it.
 
 # 0.6.0
 
diff --git a/enroll/manifest.py b/enroll/manifest.py
index c9fca19..bb88d21 100644
--- a/enroll/manifest.py
+++ b/enroll/manifest.py
@@ -16,6 +16,7 @@ from .sopsutil import (
     encrypt_file_binary,
     require_sops_cmd,
 )
+from .validate import validate_harvest
 
 
 def _prepare_bundle_dir(
@@ -203,6 +204,14 @@ def manifest(
 
     td_out: Optional[tempfile.TemporaryDirectory] = None
     try:
+        validation = validate_harvest(resolved_bundle_dir)
+        if not validation.ok:
+            raise RuntimeError(
+                "harvest state does not match this Enroll version's schema; "
+                "please re-harvest the host with this version of Enroll.\n"
+                + validation.to_text().strip()
+            )
+
         if not sops_mode:
             if target == "puppet":
                 manifest_puppet_from_bundle_dir(
@@ -235,11 +244,6 @@ def manifest(
 
         td_out = tempfile.TemporaryDirectory(prefix="enroll-manifest-")
         tmp_out = Path(td_out.name) / "out"
-        tmp_out.mkdir(parents=True, exist_ok=True)
-        try:
-            os.chmod(tmp_out, 0o700)
-        except OSError:
-            pass
 
         if target == "puppet":
             manifest_puppet_from_bundle_dir(