From fb1cd5d9a0894eab954a47f3e9e0e8d0c8d4d359 Mon Sep 17 00:00:00 2001 From: Patrick McDermott Date: Sun, 21 Jul 2019 19:28:43 -0400 Subject: opkg-cert: Don't blame clock for bootstrap to invalid cert When a mirror has an expired certificate, prokit and opkg-cert print: prokit: Using architecture amd64-linux-glibc prokit: Using platform dev prokit: Using mirror http://files.proteanos.com/pub/proteanos/ prokit: Setting up root... prokit: Configuring opkg and retrieving Packages files... opkg-cert: Invalid certificate from ! opkg-cert: Clock incorrect The second message from opkg-cert is wrong and confusing. --- diff --git a/opkg-cert b/opkg-cert index 82238aa..2cac000 100755 --- a/opkg-cert +++ b/opkg-cert @@ -227,7 +227,17 @@ check_cert() # Check dates. now=$(time) - if [ "${valid}" -eq 0 ] || [ ${now} -lt "${valid}" ]; then + if [ "${valid}" -eq 0 ]; then + # There was no "V" key in the payload, so this is most likely a + # dummy seed certificate that prokit generates to make opkg-cert + # download and verify the actual certificate from a mirror. If + # we reached here, the actual certificate was invalid. + if ${new}; then + rm -f -- "${cert}" + fi + return 1 + fi + if [ ${now} -lt "${valid}" ]; then if ${new}; then rm -f -- "${cert}" else -- cgit v0.9.1