102 lines
4.5 KiB
Markdown
102 lines
4.5 KiB
Markdown
# Grassroots
|
|
|
|
This web-based tool allows you to add your Ontario Vaccination Receipt as a pass into your Apple Wallet on iOS in a privacy-respecting way. It achieves this without sending your data to a server and instead uses a hashed representation for the signing step.
|
|
|
|
Here is a [demo](https://www.youtube.com/watch?v=AIrG5Qbjptg)
|
|
|
|
# Quick start
|
|
|
|
* Go to [https://grassroots.vaccine-ontario.ca](https://grassroots.vaccine-ontario.ca)
|
|
* Click Ontario Health to download your vaccination receipt onto your iPhone (local storage)
|
|
* Select File, Browse, your-vaccine-receipt.pdf
|
|
* Add to the wallet
|
|
|
|
### Debug the web app
|
|
|
|
```sh
|
|
yarn install
|
|
yarn dev
|
|
```
|
|
|
|
### Run the Docker container
|
|
|
|
```sh
|
|
docker build . -t covidpass -t gcr.io/broadcast2patients/covidpass
|
|
docker run --rm -t -i -p 3000:3000 covidpass
|
|
```
|
|
|
|
### Integration with other repos required
|
|
|
|
[setup.md](setup.md) has the details on how to bring the components together.
|
|
|
|
# FAQ
|
|
|
|
#### I do not want to trust a third party with my vaccination data, does this tool respect my privacy?
|
|
|
|
Processing of your data happens entirely in your browser and only a hashed representation is sent to the server for the signing step. For more details of this, please see https://toronto.ctvnews.ca/video?clipId=2294461
|
|
|
|
#### How do I make sure that nobody can access my vaccination pass from the lock screen (iOS)?
|
|
|
|
Navigate to the "TouchID & Code" or "FaceID & Code" or just "Code" section in the Settings and switch the toggle to off for Wallet in the section "Allow access from the lock screen". Also see [this official guide](https://support.apple.com/guide/iphone/control-access-information-lock-screen-iph9a2a69136/ios) from Apple.
|
|
|
|
# Using your own Apple Developer Certificate (if you would like to fork this project and run it yourself)
|
|
|
|
## Get your certificate
|
|
|
|
* Sign into your [Apple Developer Account](https://developer.apple.com/account/)
|
|
* Go to Certificates, Identifiers and Profiles
|
|
* Register a new Pass Type Identifier under the Identifiers tab
|
|
* Create a new Pass Type ID Certificate under the Certificates tab
|
|
* Select your previously created Pass Type Identifier in the process
|
|
* Move your new certificate to the My Certificates tab in the keychain
|
|
* Export your certificate as a .p12 file
|
|
|
|
|
|
* Install node.js and download the [passkit-keys](https://github.com/walletpass/pass-js/blob/master/bin/passkit-keys) script
|
|
* Create a `keys` folder and put the .p12 file inside
|
|
* Run ./passkit-keys `<path to your keys folder>`
|
|
* You may have to type in the passphrase you defined during the export step
|
|
|
|
## Run the API locally
|
|
|
|
A description of how you can use your certificate locally with the API will be provided in the readme of the [CovidPass API](https://github.com/covidpass-org/CovidPassApiNet).
|
|
To connect the web app to your local server, you have to set the `API_BASE_URL` environment variable accordingly.
|
|
|
|
# Explanation of the process
|
|
|
|
The whole process of generating the pass file happens locally in your browser. For the signing step, a hashed representation of your data is sent to the server.
|
|
|
|
First, the following steps happen locally in your browser:
|
|
|
|
* Validating the digital signature on the receipt from Ontario Health to ensure it's authentic
|
|
* Decoding your vaccination event data from the PDF file (e.g. date, type of vaccine, dose #, organization who administered it
|
|
* Assembling a pkpass file out of your data
|
|
* Sending the serial number and vaccination event data for verification when the QR code is scanned.
|
|
* Generating a file containing hashes of the data stored in the pass file
|
|
* Sending only the file containing the hashes to the server
|
|
|
|
Second, the following steps happen on the server:
|
|
|
|
* Receiving and checking the hashes which were generated locally
|
|
* Signing the file containing the hashes
|
|
* Sending the signature back
|
|
|
|
Finally, the following steps happen locally in your browser:
|
|
|
|
* Assembling the signed pass file out of the incomplete file generated locally and the signature
|
|
* Saving the file on your device
|
|
|
|
# Logging
|
|
|
|
* Sentry.io is used. Please put your DSN into your environment variable SENTRY_DSN at runtime to activate it.
|
|
|
|
# Credits
|
|
|
|
The idea for this web app originated from the [solution of an Austrian web developer](https://coronapass.fabianpimminger.com), which only works for Austrian certificates at the moment.
|
|
|
|
The main codebase is forked from [covidpass](https://github.com/covidpass-org/covidpass) and added Ontario specifcs.
|
|
|
|
# Contribute
|
|
|
|
Contributions to this project is welcome. Feel free to leave your suggestions, issues or pull requests.
|