Since there have been many questions on that, I think some education on the subject is in order.
@hannob If you think this is not the right place, please feel free to close the issue.
TLDR
Faking a QR code without the private key doesn't work and will not work. If it would, all security regarding computers would be destroyed.
Why?
The QR code is cryptographically signed, using a private/public keypair. Cryptographic signatures can be generated if you have the private key (which, as the name says, is kept private). They can be validated using the public key, which is public.
Since it is only signed and not encrypted, it is possible to read the message without any key at all. This is what this project does.
Encryption vs Signature
In a public/private key system, every user has a private key (which they have to keep private, so not share with anyone) and a public key. The public key is public, meaning, it is shared with everyone.
Using these keys, there are two main things you can do: encrypt a message or sign a message (or both at once).
To encrypt something, you use the public key of the user that should be able to read the message. This returns a message, that looks like random garbage. Only using that user's private key, you can restore the message to it's original form.
To sign something, you use your own private key. This creates a signature, that can be attached to the message. The message itself is not modified and thus still legible (as if you would put a signature under a letter). Using the sender's public key (which everyone else has), other users can verify, that the message came from the sender and that it wasn't modified.
What does this project do?
It reads the QR code's data, without even checking the signature. So, basically, it doesn't touch the security of the QR code at all.
What would it mean if you could just create valid QR codes without the private key?
That would, literally, mean, that all security that exists in regards to digital communications would be gone. That would mean, no online banking, no online shopping, not even safe use of messaging apps or social networks.
It would be close to a digital apocalypse.
So how do I get a valid QR code?
The only way to get a valid QR code is to get it from someone who has the private key. Which, to my knowledge, are only the authorities responsible for vaccinations. So go, get your shot.
By the way: in many countries documentation regarding vaccinations count as official documents. Forging those can lead to (depending on the country) pretty substantial fines and even jail sentences of over a year. Is that really worth it?
Since there have been many questions on that, I think some education on the subject is in order.
@hannob If you think this is not the right place, please feel free to close the issue.
TLDR Faking a QR code without the private key doesn't work and will not work. If it would, all security regarding computers would be destroyed.
Why? The QR code is cryptographically signed, using a private/public keypair. Cryptographic signatures can be generated if you have the private key (which, as the name says, is kept private). They can be validated using the public key, which is public. Since it is only signed and not encrypted, it is possible to read the message without any key at all. This is what this project does.
Encryption vs Signature In a public/private key system, every user has a private key (which they have to keep private, so not share with anyone) and a public key. The public key is public, meaning, it is shared with everyone.
Using these keys, there are two main things you can do: encrypt a message or sign a message (or both at once).
To encrypt something, you use the public key of the user that should be able to read the message. This returns a message, that looks like random garbage. Only using that user's private key, you can restore the message to it's original form.
To sign something, you use your own private key. This creates a signature, that can be attached to the message. The message itself is not modified and thus still legible (as if you would put a signature under a letter). Using the sender's public key (which everyone else has), other users can verify, that the message came from the sender and that it wasn't modified.
What does this project do? It reads the QR code's data, without even checking the signature. So, basically, it doesn't touch the security of the QR code at all.
What would it mean if you could just create valid QR codes without the private key? That would, literally, mean, that all security that exists in regards to digital communications would be gone. That would mean, no online banking, no online shopping, not even safe use of messaging apps or social networks. It would be close to a digital apocalypse.
So how do I get a valid QR code? The only way to get a valid QR code is to get it from someone who has the private key. Which, to my knowledge, are only the authorities responsible for vaccinations. So go, get your shot.
By the way: in many countries documentation regarding vaccinations count as official documents. Forging those can lead to (depending on the country) pretty substantial fines and even jail sentences of over a year. Is that really worth it?