#
#
# patch "cert.cc"
#  from [cb7908e8a4541cc16c257758255cf64654329462]
#    to [ea863a72e399354c6a859a2fe6d5185529ed8823]
# 
# patch "cert.hh"
#  from [6b2244b0e1ba48291fcf7bf5f12c91c5e32fde2f]
#    to [9c783196dcfaedd79357d758521a190d87ba8637]
# 
# patch "netsync.cc"
#  from [ef4d67b3bd4a47082dbcd13376b353b35eecb8b9]
#    to [bf78b35eae5367b5acff68d4bc160756f28926c3]
#
============================================================
--- cert.cc	cb7908e8a4541cc16c257758255cf64654329462
+++ cert.cc	ea863a72e399354c6a859a2fe6d5185529ed8823
@@ -99,14 +99,20 @@ read_cert(database & db, string const & 
           }
         if (!found)
           {
-            W(F("Cannot find appropriate key '%s' for old-style cert")
-              % name);
             return false;
           }
       }
       break;
     case read_cert_current:
-      tmp.key = key_id(key, origin::network);
+      {
+        rsa_pub_key pub;
+        tmp.key = key_id(key, origin::network);
+        db.get_pubkey(tmp.key, keyname, pub);
+        if (db.check_signature(tmp.key, signable, tmp.sig) != cert_ok)
+          {
+            return false;
+          }
+      }
       break;
     default:
       I(false);
@@ -130,9 +136,9 @@ bool cert::read_cert_v6(database & db, s
   return ::read_cert(db, s, c, ::read_cert_v6, keyname);
 }
 
-bool cert::read_cert(database & db, std::string const & s, cert & c)
+bool cert::read_cert(database & db, std::string const & s, cert & c,
+                     key_name & keyname)
 {
-  key_name keyname;
   return ::read_cert(db, s, c, read_cert_current, keyname);
 }
 
============================================================
--- cert.hh	6b2244b0e1ba48291fcf7bf5f12c91c5e32fde2f
+++ cert.hh	9c783196dcfaedd79357d758521a190d87ba8637
@@ -40,7 +40,8 @@ struct cert : public origin_aware
   {}
 
   // These understand the netsync serialization.
-  static bool read_cert(database & db, std::string const & s, cert & c);
+  static bool read_cert(database & db, std::string const & s, cert & c,
+                        key_name & keyname);
   static bool read_cert_v6(database & db, std::string const & s, cert & c,
                            key_name & keyname);
   cert(database & db, std::string const & s, origin::type m);
============================================================
--- netsync.cc	ef4d67b3bd4a47082dbcd13376b353b35eecb8b9
+++ netsync.cc	bf78b35eae5367b5acff68d4bc160756f28926c3
@@ -2389,11 +2389,24 @@ session::process_data_cmd(netcmd_item_ty
         key_name keyname;
         if (version >= 7)
           {
-            matched = cert::read_cert(project.db, dat, c);
+            matched = cert::read_cert(project.db, dat, c, keyname);
+            if (!matched)
+              {
+                W(F("Dropping incoming cert which claims to be signed by key\n"
+                    "'%s' (name '%s'), but has a bad signature")
+                  % c.key % keyname);
+              }
           }
         else
           {
             matched = cert::read_cert_v6(project.db, dat, c, keyname);
+            if (!matched)
+              {
+                W(F("dropping incoming cert which was signed by a key we don't have\n"
+                    "you probably need to obtain this key from a more recent netsync peer\n"
+                    "the name of the key involved is '%s', but note that there are multiple\n"
+                    "keys with this name and we don't know which one it is") % keyname);
+              }
           }
 
         if (matched)
@@ -2408,13 +2421,6 @@ session::process_data_cmd(netcmd_item_ty
             if (project.db.put_revision_cert(c))
               written_certs.push_back(c);
           }
-        else
-          {
-            W(F("dropping incoming cert which was signed by a key we don't have\n"
-                "you probably need to obtain this key from a more recent netsync peer\n"
-                "the name of the key involved is '%s', but note that there are multiple\n"
-                "keys with this name and we don't know which one it is") % keyname);
-          }
       }
       break;