From f6c6c2d83f7a6b4f0276cd9b8facd8bac5c83d23 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sat, 13 Jan 2024 16:35:38 -0500
Subject: [PATCH] [doc] cert-staple.sh check staple newer than cert

(thx avij)
---
 doc/scripts/cert-staple.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/doc/scripts/cert-staple.sh b/doc/scripts/cert-staple.sh
index 0692afa57..6adbf4bb9 100755
--- a/doc/scripts/cert-staple.sh
+++ b/doc/scripts/cert-staple.sh
@@ -24,8 +24,11 @@ errexit() {
 }
 
 # short-circuit if Next Update is > $next_delta in the future
+# and the stapling file is newer than the certificate and the chain
 next_ts=$(readlink "$OCSP_DER" 2>/dev/null)
-if [ -n "$next_ts" ]; then
+if [ -n "$next_ts" ] && \
+   [ "$OCSP_DER" -nt "$CERT_PEM" ] && \
+   [ "$OCSP_DER" -nt "$CHAIN_PEM" ]; then
     next_ts="${next_ts##*.}"
     ts=$(date +%s)
     ts=$(( $ts + $next_delta ))