-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add saaaanchez test QR, text and result #9
Conversation
Uhm, did you run |
I used ehn-sign-verify-python-trivial to validate signature and get all the information (also |
The issue is that certificate is most probably v1.0, whilst nowadays we use v1.3 IIRC |
@denysvitali is it about 061f6ae#commitcomment-59268556? Commit comment 061f6ae#commitcomment-59268556 moved here for discussion continuity: |
That explains it! Wow! I'm sorry then for re-generating the QR code! I'm also sorry for replying here to your commit comment, GitHub on Android doesn't show those :( I'll revert my commit that changes the QR. |
The issue generated by the Polish app seems related to the parsing of the QR code, instead of the data contained in it. This commit reverts the QR code to be able to reproduce the issue with the Polish app.
No problem at all. I'll try to raise the issue about this new saaaanchez QR code with the PL authorities, there should be no such problems with QR code that is readable by other apps in the field. Did you verify this new code with VerificaC19 app? |
@denysvitali no need to answer my question, I saw ministero-salute/it-dgc-verificaC19-android#185 (comment) :) |
Sadly both the italian and swiss app are affected. I feel stupid for not checking the QR code itself. I assumed the QR decoder was pretty standard and bug-free. |
They use bog standard zxing component as you can see in https://github.com/ministero-salute/it-dgc-verificaC19-android/blob/develop/app/src/main/java/it/ministerodellasalute/verificaC19/ui/main/codeReader/CodeReaderFragment.kt |
Nice find @denysvitali ministero-salute/it-dgc-verificaC19-android#185 (comment) |
I've got an external tip 😅. I'll remove it later :) |
This certificate, despite being weird and being signed by a production key of AD, is in fact genuine and used as part of the EU DGC Quality Assurance tests. This is very unfortunate as these certificates should have never been signed with a productive key to begin with. For this reason, this certificate isn't forged and thus it is now removed with this commit. References: - #9 - ministero-salute/it-dgc-verificaC19-android#185 - admin-ch/CovidCertificate-App-Android#306 - eu-digital-green-certificates/dcc-quality-assurance#183
Took me a while, sorry. I now removed both saaaanchez and pass-valido as they're both valid certificates (one really valid, the other with data added at the end). |
Adding a sample created by truncating "pass-valido" that is recognized as valid by apps (base45 decodes without errors).
The sample is suspicious only because of non-official surname "Saaaanchez" and being found as part of problematic "pass-valido". It is possible that this sample is not fraudulent, and was issued for real person, it is impossible to tell for sure.