search

philipptrenz / covidpass.eu

Scan your vaccination, test and recovery certificates in QR code representation and save them to your Apple Wallet
https://covidpass.eu
GNU Affero General Public License v3.0
138 stars 11 forks source link

Payload does not include the hash #23

Closed timokoenig closed 3 years ago

timokoenig commented 3 years ago

When creating the zip file to sign with the server, the full pass json is included instead of only the hash, which contradicts with what is written in the README.

Since the QR codes store sensitive personal information as well as health data, processing of the data is done entirely within the users browser. Only a hash over the data is sent to the server to sign it with a certificate issued by Apple, for which a Apple Developer Program Membership is required.

The hash is being created but never used, https://github.com/philipptrenz/covidpass/blob/90c90fbf82ef606eb4992a01fcf9180321daafec/plugins/src/pass.js#L41

timokoenig commented 3 years ago

Okay I take it back, it hink the line listed above is just a left over from development. The hash is being created in another place.