From fb1cd5d9a0894eab954a47f3e9e0e8d0c8d4d359 Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Sun, 21 Jul 2019 19:28:43 -0400
Subject: opkg-cert: Don't blame clock for bootstrap to invalid cert

When a mirror has an expired certificate, prokit and opkg-cert print:

	prokit: Using architecture amd64-linux-glibc
	prokit: Using platform dev
	prokit: Using mirror http://files.proteanos.com/pub/proteanos/
	prokit: Setting up root...
	prokit: Configuring opkg and retrieving Packages files...
	opkg-cert: Invalid certificate from <http://files.proteanos.com/pub/proteanos//archive.cert>!
	opkg-cert: Clock incorrect

The second message from opkg-cert is wrong and confusing.
---
diff --git a/opkg-cert b/opkg-cert
index 82238aa..2cac000 100755
--- a/opkg-cert
+++ b/opkg-cert
@@ -227,7 +227,17 @@ check_cert()
 
 	# Check dates.
 	now=$(time)
-	if [ "${valid}" -eq 0 ] || [ ${now} -lt "${valid}" ]; then
+	if [ "${valid}" -eq 0 ]; then
+		# There was no "V" key in the payload, so this is most likely a
+		# dummy seed certificate that prokit generates to make opkg-cert
+		# download and verify the actual certificate from a mirror.  If
+		# we reached here, the actual certificate was invalid.
+		if ${new}; then
+			rm -f -- "${cert}"
+		fi
+		return 1
+	fi
+	if [ ${now} -lt "${valid}" ]; then
 		if ${new}; then
 			rm -f -- "${cert}"
 		else
--
cgit v0.9.1