Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
alessandropier 10 hours ago

Love the idea, thanks for sharing!

One obvious concern here is data privacy, since the pass details are sent to the server. Any chance it would be possible to run everything in the browser, without sending data back to the server?

alentodorov 10 hours ago | parent [-]

not really. the .pkpass needs to be signed. you can build the file locally but you won't be able to load it in apple wallet.

zeckalpha 10 hours ago | parent | next [-]

Please be clearer about this on the site!

matrss 10 hours ago | parent [-]

The site is pretty clear: "Free and works in browser", "Processed locally", "Private". But apparently the site (sorry for the harsh word, but I can't interpret it any other way) lies.

fragmede 8 hours ago | parent [-]

"is incorrect" is slightly less harsh, but in this case, I'd call it a lie. It's a rather subtle but important implementation detail. I don't think the author (who is here in this thread) is necessarily malicious because of this, but, well, it's a lie.

gruez 10 hours ago | parent | prev | next [-]

I'm not exactly sure how passes are signed, but in most digital signature schemes, you only sign the hash of the message, not the actual contents. Therefore you could conceivably do this in a privacy preserving way by only passing in the hash to be signed, which would allow the server to generate a valid signature without knowing the contents.

alentodorov 9 hours ago | parent [-]

Apple Wallet passes use CMS signatures. you're right that only hashes are signed. but Apple requires an official Developer certificate ($99/year) with a private key that can't be exposed to browsers. for true privacy, each user would need their own cert. and defeats the "free" goal. and if you have a dev certificate it's trivial to generate one on your own machine.

gruez 9 hours ago | parent | next [-]

>Apple Wallet passes use CMS signatures. you're right that only hashes are signed. but Apple requires an official Developer certificate ($99/year) with a private key that can't be exposed to browsers.

Why can't the browser send the hash to the server for signing?

alentodorov 9 hours ago | parent [-]

let me look into it.

saagarjha 9 hours ago | parent | prev [-]

Any chance of allowing me to upload my own keys and doing the signing in the browser? I am sure this is a niche use case but I know how to generate the certificate for this but have been too lazy to make a thing like this for (checks to-do list) something like six years and I'd much rather just use your thing lol

alentodorov 9 hours ago | parent | next [-]

that's a good idea. i'll release a BYOK version but don't plan to host it myself. will include a quick run script to run it locally.

the_lucifer 9 hours ago | parent | prev [-]

Haha, I just made a comment above that I've been sitting on a half done project to do this for around 8 years now.

alessandropier 10 hours ago | parent | prev [-]

yeah was expecting that, thanks! do not use my gym pass pls