A simple tool to validate EU Digital COVID-19 Certificates
(because this tool is, well, minimalistic...)
- Clone
- Compile with
go build/go install - Scan the QR code on the EU Digital COVID-19 Certificate, save the scan as ASCII
echo 'the long, random string of garbage from the QR scan' | ./go-uvci-reader- Confirm that the result contains your personal data (as printed in plaintext on the EU Digital COVID-19 Certificate) and that the signature is valid.
That's it. No options, no CLI commands, no config files. It reads a string of characters from standard input and tries to decode it according to the published documentation for EU Digital COVID-19 Certificate, and print the plaintext to standard output, (hopefully) formatted.
It just does one thing. Not necessarily well.
Too many to list.
Most notably: the signature checker fails and panics. In other words: you can get the encoded data from the QR code, but it doesn't do the vital step of validating it. As such, the original purpose — validation! — is defeated.
Reason for the above: probably you need to know in advance which authority emitted the signature and get its public key. This is non-trivial. Most EU organisations seem to distribute their public keys only to a very limited set of entities; also, each EU member state is free to generate as many signatures as they wish, and somehow (internally) 'decide' which entities are allowed to emit valid signatures and freely exchange their public keys. It's true that this works across borders, but how it works is beyond my understanding of the (very long!) implementation details. They're written in the most dense Eurocratese.
Why such an obscure, opaque method? That, unfortunately, is not for me to answer. I was genuinely naïve enough to think that you'd read the QR code, see if the signature was valid, show the entity signing it, and that would be it. Apparently there are further steps that need to be in place before you can actually do that.
But other non-Go tools seem to work! Well, that's very likely because they were written by knowledgeable, professional programmers, not utterly clueless amateurs like me. Or it's because I've interpreted the relevant documentation wrongly.
Just use the Go Corona QR Code Decoder instead. That one just works and seems to have no problem downloading the appropriate certificates (and keeping them in sync!). So, why bother using my package instead? (that's a rhetorical question)
Fixes are unlikely to be released, as, for all practical purpeses, thie project has been vastly superceded by far better alternatives...
