Even 640x480 is a lie - supported modes are 4208x3120, 2104x1560 and 1052x780 at the moment.
On the currently released kernels the first two ones will have plenty of noise that you’ll have to subtract with dark frame (a photo taken with the sensor fully covered); the last one should be fine though. However, improvements for image quality at high-res are coming (as can be seen under the link posted by @amarok )
QR codes are a wild and woolly bunch. Your vanilla QR code will be an https: (or http:) URL.
For the purposes of associating with WiFi, the QR code may begin with WIFI:
For the purposes of sending an SMS, the QR code may begin with SMSTO: (and the full text in the QR code will be SMSTO:destination-mobile-number:text-of-message)
Let’s call them all URLs where the schemes in the latter cases are WIFI and SMSTO respectively.
I have two questions.
Right now is there any command line to do anything with an SMSTO URL i.e. that would send the required SMS (or at least launch an SMS sending application in preparation for sending the SMS - since the user really ought to be given the opportunity not to go ahead and send the SMS)?
Is there any official registry of these additional schemes or is it a free-for-all? (This question is really just for interest.)
I think in any case it must be shown to user what the QR wants to be done before any action gets performed. QR codes are a possible attack vector and even starting an app might be against the users will and possibly do harm.
Also I suggest to consider to name it commands instead of URLs. Or maybe we find out what’s the official name by some RFV or whatever.
edit:
German Wikipedia talks about “tags” but doesn’t express clearly if these commands / URLs are the tags or the QR-Code itself. The abuse of these commands / URLs for attacks is called attagging.
Are the specifications of the QR Code publicly available?
Specifications of the code were approved as a JIS standard (JIS X 0510) in November 2004. Therefore, they are publicly available.
Due to covid most probably EU and certainly the touristic countries such as Greece are preparing a certificate of vaccination (or pcr or of recovery from covid) using “digitally signed QR codes”. What is this? I have used digital signatures, I have used QR codes but not together. I found very little information on the web (wikipedia has nothing I think on this) and restricting the search to Linux returned nothing I could make any sense of.
I don’t know what it is, but “digitally signed QR code” doesn’t make sense. A QR code is a storage medium, but signing can be done to data. I’m guessing that what’s happening is some QR code carries some signed data, not unlike a QR code ticket.
This is what I thought too. But then I found this:
It seems that some kind of combination between QR and GPG is possible so I can safely assume that the same could be possible with digital signatures issued by CA authorities.
Unless I have completely misunderstood the above link. Could you please explain what is this?
This Python script generates a PDF file with an embedded QR code,
based on a message. This QR code contains the message signed
with your private gpg key. The purpose of this is to have a
printed signed document.
The idea is to build an Android application that verifies
signatures on these printed documents by scanning the text on
the document by for example OCR and verifies the text by checking
the QR code and verify the included signature.
So… it automatically checks that something is the same that was signed (and now in QR-container for machine reading). Just like @dcz described, in other words. I’d imagine that would make a huge code image if it’s a long text (pages), so, probably just a hash (which would be enough to verify there are no changes) would be more logical, maybe…? Unless it’s intended for short stuff like “final grade values”. The QR-code alone is not enough, it in any case needs to read the whole text to compare - either the file or OCR, which is very likely to have changes (likely to give a high rate of mis-matches on comparison). For short strings and values this seems more doable.
Edit: this QR-conversation should be forked or just moved to a new thread from camera development.
In this case, the QR code is part of the ongoing battle: Librem 5 v. my country’s COVID response and as such I am not too concerned about an attack vector, and keener that it “just works”.
I already have zbarimg installed on my phone. Let’s say that in the near foreseeable future the basic camera functionality is released - a script can get the camera to capture an image. So let’s say it is easy enough to capture an image and decode it as a QR code. Then it is easy enough to extract the scheme and show it to the user and ask the user whether to continue.
So my question then is … if I say “yes”, can a script send an SMS or launch Chatty to do so or … ?
A QR code just encodes arbitrary data. Interpretation of that data is outside the scope of the QR code. We don’t want the spec for QR codes as such.
It is certainly murky. There are URLs, URNs, URIs and it is unclear whether either of the two examples that I gave (WIFI:, SMSTO:) fit into one or more of those. The basic idea though is that they all start with “scheme:” where scheme has a limited character set, and what comes after the colon is scheme-specific. That is the general URL syntax. Some schemes further conform to the common internet scheme syntax. Some don’t. (Refer RFC 1738.)
SMSTO: more explicitly requests an action (send an SMS) - more like a command, as you say. (Like mailto: which is documented in RFC 1738.)
WIFI: provides the connectivity details for a Wireless Access Point - but does not necessarily request the action of associating with that WAP, although a client device might interpret the details as a request to associate.
My EU digital Covid-19 certificate. I do not care about sharing it as long as I have the chance to learn something from it. So what is this QR code that it has? I scanned it and it gives a big hash-like string. But how does this make it possible to verify that the document is original and unmodified?
(if you can call that decoded)
(forum may have butchered the layout)
You have exactly zero chance of knowing what information you are leaking. It might be safe. It might not be safe. Unless you can find some documentation from your government / from the EU.
I recommend that you install the zbar-tools package for the zbarimg command.
I recommend that you never post QR codes publicly unless you are able to verify for yourself what you are leaking.
There are no barcodes or QR codes on the Australian certificate. Low tech. Plenty of useful information for identity theft however.
In France, the flash code is at 2D Doc format.
At the end, there is a field for base32 encoded signature. It’s 64 bytes long, with NIST P-256 (ECDSA) encryption.
I would not keep the file public forever. I have already removed it. I put it up so some people in here can check the QR and maybe explain what and how it is doing what it is doing. I have not yet understood its function. Can someone explain?
I would hazard to guess that that hash code identifies you as vaccinated somehow. Maybe, once decoded or decrypted, it gives your name and info and such. Bit of a wild guess, though.
but you will have your work cut out for you as you will need to read and understand the RFCs for CBOR and COSE, and also grab the draft RFC for base45 encoding.
I expect that once you have decoded the QR code, you will find that it is leaking your name and date-of-birth - and that would be badness. I’m going to remove the decoded version above.
I offer a very tentative opinion that France is doing something different.
It would not surprise me but the principle of the cryptographic signature must be more or less the same everywhere.
On the other hand, on the French pass, all the data are in clear text and can be easily retrieved with any 2D-DOC flash code reading application.
You can read the name, the first names, the date of birth, the disease concerned (covid-19), the type of vaccine injected (mRNA or other), the producer of the vaccine, the number of doses received, whether the vaccination protocol is completed or not. In some cases it can be deduced whether the person had already had covid before vaccination (one dose of vaccine and protocol completed) or whether he/she was immunodeficient (3 doses of vaccine or 2 doses and protocol not completed).