It's possible to spoof file with older one, problem in certificate chain validation.
vulners.com/securityvulns/securityvulns:doc:3916
vulners.com/securityvulns/securityvulns:doc:3917