The vaccination receipt PDF downloaded from the Ministry of Health is signed with a certificate, but this certificate doesn't seem to be checked in the process. This means that anyone can create a certificate with the same organization name and common name, and sign a forged vaccination receipt which will be accepted. See https://github.com/billylo1/covidpass/blob/b38540a0bc845b11998d2a4b539cb17a9a04b8e2/src/process.ts#L45-L46
The initial attempt at using the library function to verify the PDF likely failed because the certificate used by the govt of Ontario does not have a chain of trust to a root CA (there is no chain at all). You can see this when you open up the PDF in Adobe Reader and it says the signature has issues. However, since each receipt is signed by the same certificate, you can still make sure that the proper certificate is used by checking for a specific certificate instead of just the common name and organization name.
There might be a method in node-forge you can use on this certificate.
The vaccination receipt PDF downloaded from the Ministry of Health is signed with a certificate, but this certificate doesn't seem to be checked in the process. This means that anyone can create a certificate with the same organization name and common name, and sign a forged vaccination receipt which will be accepted. See https://github.com/billylo1/covidpass/blob/b38540a0bc845b11998d2a4b539cb17a9a04b8e2/src/process.ts#L45-L46
The initial attempt at using the library function to verify the PDF likely failed because the certificate used by the govt of Ontario does not have a chain of trust to a root CA (there is no chain at all). You can see this when you open up the PDF in Adobe Reader and it says the signature has issues. However, since each receipt is signed by the same certificate, you can still make sure that the proper certificate is used by checking for a specific certificate instead of just the common name and organization name.
There might be a method in
node-forge
you can use on this certificate.