Government of BC cards being recognized as fake

[mitchplze]

The shc:/ link provided by the BC Vaccine Card QR code, are shown as fake by this system.

[superay123]

@fproulx's version (https://fproulx.github.io/shc-covid19-decoder/) only recognizes QC QR code because its uses a built-in public signing key.
Please use @steven676's version (https://steven676.github.io/shc-covid19-decoder/) as you can deactivate signature verification. You can send the BC iss to @steven676 and he might include the BC public key in his issuer_keys.js.
If BC publishes its public signing key at /.well-known/jwks.keys, @thardie's version (https://github.com/thardie/shc-covid19-decoder) should work.

[mitchplze]

The version from @steven676 works, if I disable verification! Thanks for the tip.

[thardie]

The version from @steven676 works, if I disable verification! Thanks for the tip.

Be careful with my current version or no verification, because it means anyone could produce those codes and it could be completely fake. You need to verify it some way.

With the verification off, is there an ISS field? If so, can you post it here?

[mitchplze]

With the verification off, is there an ISS field? If so, can you post it here?

https://smarthealthcard.phsa.ca/v1/issuer

PHSA.ca is legit. 👍

[mitchplze]

If it helps with development, I can post the full dump of my BC one (with personal information redacted).

It’s also worth noting, this just launched today, and the official “verifier” app does not yet exist until next week 😅

[dlh3]

BC payload, without the credentialSubject:

{
  iss: 'https://smarthealthcard.phsa.ca/v1/issuer',
  nbf: 1630863179,
  vc: {
    type: [
      'https://smarthealth.cards#covid19',
      'https://smarthealth.cards#immunization',
      'https://smarthealth.cards#health-card'
    ],
    ...
}```

[steven676]

Thanks for the heads-up. I've updated https://steven676.github.io/shc-covid19-decoder/ with the BC signing key; does that now work with BC Vaccine Cards when signature verification is enabled? (The code is off in a separate more-keys branch for now -- I suspect I'll end up redoing my main branch to go back to selecting keys using the iss field, given the discussion in #12 and the fact that everyone else seems to be doing it that way.)

[GregSwallow]

Thanks for the heads-up. I've updated https://steven676.github.io/shc-covid19-decoder/ with the BC signing key; does that now work with BC Vaccine Cards when signature verification is enabled?

I tested it on my BC card and it works with verify enabled

[csisop]

If it helps with development, I can post the full dump of my BC one (with personal information redacted).

It’s also worth noting, this just launched today, and the official “verifier” app does not yet exist until next week 😅

And I've seen articles that say that any QR reader can scan the codes, which seems totally wrong.

[dlh3]

does that now work with BC Vaccine Cards when signature verification is enabled?

GregSwallow beat me to it, but yes. Signature verification works for BC with that key.

And I've seen articles that say that any QR reader can scan the codes, which seems totally wrong.

@csisop A QR code is a QR code is a QR code. It's a general purpose scheme for encoding any data in a 2D optical matrix, so of course any QR reader can scan it. But most readers will just give you a string of digits (eg, "shc:/65432545...").

The data encoded in the vaccine passport QR codes is typically SHC data, which uses JWS (JSON Web Signatures) with asymmetric encryption to sign the data. The SHC data does not protect any of the information, but the signing mechanism does allow purpose-built verifier apps to validate the signature, which allows for detection of tampered data (ie, detecting a fake passport).

That's what this project does. It reads the SHC data from a QR code, converts it to JWS, verifies the signature, and dumps the data.