When creating the zip file to sign with the server, the full pass json is included instead of only the hash, which contradicts with what is written in the README.
Since the QR codes store sensitive personal information as well as health data, processing of the data is done entirely within the users browser. Only a hash over the data is sent to the server to sign it with a certificate issued by Apple, for which a Apple Developer Program Membership is required.
When creating the zip file to sign with the server, the full pass json is included instead of only the hash, which contradicts with what is written in the README.
Since the QR codes store sensitive personal information as well as health data, processing of the data is done entirely within the users browser. Only a hash over the data is sent to the server to sign it with a certificate issued by Apple, for which a Apple Developer Program Membership is required.
The hash is being created but never used, https://github.com/philipptrenz/covidpass/blob/90c90fbf82ef606eb4992a01fcf9180321daafec/plugins/src/pass.js#L41