admin-ch / CovidCertificate-App-Android

CovidCertificate Apps for Android

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Covid Certificate does verify Italian certificates that contain invalid signatures (?)

vincenzoiovino opened this issue · comments

According to the answer of user Astagi in this issue regarding the Italian's app Verifica C19: ministero-salute/it-dgc-verificaC19-android#87
The QR codes posted by the Italian Team in the link mentioned in the issue should not pass verification but they are successfully validated by Covid Certificate.
Either the certificates are invalid as claimed by such user and then the bug is in the Swiss app, or the bug is in the Italian app, or some of the apps embed such test codes somewhere.
Any clue?

edit: or keys revoked and Covid Certificate (as the EU and other national apps) still have revoked keys (I have all updated versions of all apps)?

According to the answer of user Astagi in this issue regarding the Italian's app Verifica C19: ministero-salute/it-dgc-verificaC19-android#87
The QR codes posted by the Italian Team in the link mentioned in the issue should not pass verification but they are successfully validated by Covid Certificate.
Either the certificates are invalid as claimed by such user and then the bug is in the Swiss app, or the bug is in the Italian app, or some of the apps embed such test codes somewhere.
Any clue?

edit: or keys revoked and Covid Certificate (as the EU and other national apps) still have revoked keys (I have all updated versions of all apps)?

The issue is solved. The app does later show that the sig is invalid. I got confused with the EU app that anyway does show green sign and never mention anything about invalid signature.
However, showing a message of invalid signature only later may be confusing. When the code is scanned, all data about vaccination are showed correctly and one can think the certificate is valid. Instead, the Italian app immediately shows a red sign.
It can be also that I confused the scope of this app.
Howerver, it seems a bug in the EU app (to point out on their repository) that explicitly says that the certificates are valid.

This is intended behaviour for the Swiss wallet app. The wallet app allows you to import anything you want, as long as it can decode it as a DCC. In particular, this is useful if you want to import your vaccination certificate for the 1st dose (which on its own is not valid).

It is by design that the preview does not validate the cert. Since the new cert will be the first one in the pager, the user will clearly see its status soon enough.
Again, consider the example of the 1st dose: we don't want to scare the user away with a red INVALID warning, instead we want to help them complete the import process.

This is intended behaviour for the Swiss wallet app. The wallet app allows you to import anything you want, as long as it can decode it as a DCC. In particular, this is useful if you want to import your vaccination certificate for the 1st dose (which on its own is not valid).

It is by design that the preview does not validate the cert. Since the new cert will be the first one in the pager, the user will clearly see its status soon enough.
Again, consider the example of the 1st dose: we don't want to scare the user away with a red INVALID warning, instead we want to help them complete the import process.

ok got it. I was testing these certificates that are invalid on many apps and I did not even realize what is the main purpose of this app.
You can close this issue.
However, this is a still a bug in the EU app and possibly other apps that validate these invalid certificates with a green sign,