Love the idea, thanks for sharing!
One obvious concern here is data privacy, since the pass details are sent to the server. Any chance it would be possible to run everything in the browser, without sending data back to the server?
Love the idea, thanks for sharing!
One obvious concern here is data privacy, since the pass details are sent to the server. Any chance it would be possible to run everything in the browser, without sending data back to the server?
not really. the .pkpass needs to be signed. you can build the file locally but you won't be able to load it in apple wallet.
Please be clearer about this on the site!
The site is pretty clear: "Free and works in browser", "Processed locally", "Private". But apparently the site (sorry for the harsh word, but I can't interpret it any other way) lies.
"is incorrect" is slightly less harsh, but in this case, I'd call it a lie. It's a rather subtle but important implementation detail. I don't think the author (who is here in this thread) is necessarily malicious because of this, but, well, it's a lie.
I'm not exactly sure how passes are signed, but in most digital signature schemes, you only sign the hash of the message, not the actual contents. Therefore you could conceivably do this in a privacy preserving way by only passing in the hash to be signed, which would allow the server to generate a valid signature without knowing the contents.
Apple Wallet passes use CMS signatures. you're right that only hashes are signed. but Apple requires an official Developer certificate ($99/year) with a private key that can't be exposed to browsers. for true privacy, each user would need their own cert. and defeats the "free" goal. and if you have a dev certificate it's trivial to generate one on your own machine.
>Apple Wallet passes use CMS signatures. you're right that only hashes are signed. but Apple requires an official Developer certificate ($99/year) with a private key that can't be exposed to browsers.
Why can't the browser send the hash to the server for signing?
let me look into it.
Any chance of allowing me to upload my own keys and doing the signing in the browser? I am sure this is a niche use case but I know how to generate the certificate for this but have been too lazy to make a thing like this for (checks to-do list) something like six years and I'd much rather just use your thing lol
that's a good idea. i'll release a BYOK version but don't plan to host it myself. will include a quick run script to run it locally.
Haha, I just made a comment above that I've been sitting on a half done project to do this for around 8 years now.
yeah was expecting that, thanks! do not use my gym pass pls