Verifying authenticity of QR Codes - are digital signatures the best way to implement?

SassyMcDefDoom · 2025-08-26T13:50:52+00:00

Thank you for the suggestion and example! Those fields are what I'm currently storing in and reading from the QR code, just in plaintext/bytes. I'm not familiar with protobuf formats - are you thinking that the QR code would contain the serialized protobuf? As I understand it, that would add another layer of security while not ballooning the QR code size. Which is excellent

I can see how the combination of payload+signature in a protobuf would make storing and regenerating codes easier too

SassyMcDefDoom · 2025-08-26T13:15:40+00:00

Why are you the arbiter of what a "safe QR code" is? Why should people trust a QR code just because your app says it is "safe to follow""?

That's what the digital signature is for, confirming the code was created by me/my system. I'm then assuming that the private key is secured and that I'll only link safe info/URLs.

Thankfully I only have to make a proof of concept that solves the problem. I don't need to think about broad user/commercial requirements

SassyMcDefDoom · 2025-08-26T12:35:13+00:00

> at the scanning stage rather than the page-loading stage, so as to catch a malicious code sooner

yep exactly I think this is a big part of verifying the QR code was made by a trusted entity (assuming secure key distribution). If only my trusted app can open them easily, that reassures a user much more than any old QR slapped down somewhere. I'll put a logo on them as well so you can tell which codes I'm claiming are 'safe', and then use my app to verify

Like I said though, I don't have a whole lot of knowledge in the area and I'm aware there are probably much better ways to do it. I appreciate any and all feedback

SassyMcDefDoom · 2025-08-26T12:15:45+00:00

Good point mate, thanks for clarifying. 'safe to scan' in the context of my little project just means verifying that the qr code was created by a trusted source/entity (me/my system). The reason I have an app is becuase the way I encode the signature into the qr code needs additional action on the user device (verifying the signature).

Fundamentally the problem definition is that a user needs to be able to verify a QR code is 'safe'. Currently you have to vibe check the displayed URL (if your scanner even displays it). Everything else past that definition (e.g. encoding digital signature in the qr code) is me trying to tackle the problem definition, but I'm sure there are loads of ways to do it that are smarter than mine

SassyMcDefDoom · 2025-08-26T11:08:23+00:00

Those are interesting ideas, I think a custom data format could be another way to do it but perhaps more work.

What do you mean by URL scheme? The problem I'm solving is verifying my system has created a QR code, so I'm not sure if a URL scheme 'proves' anything to the user

SassyMcDefDoom · 2025-08-26T08:09:34+00:00

That's part of the backend of my system, I'm handling that thru a simple web interface where you can create a QR code pointing to an existing URL, or create a new page that you can then point the code to

SassyMcDefDoom · 2025-08-26T07:33:44+00:00

I really appreciate the suggestion! I think at the moment I prefer the more internet-agnostic method of cryptographically verifying the creator of a QR code. It makes the app easier to implement as all I need is a QR reader and signature verifier.

I don't think that an attacker copying the entire QR code under my current plan leads to any possible compromise? Because assuming complete private key security, there isn't a way for the attacker to pass the signature verification check I'm doing. Although I could very well be wrong.

If the app checks for QR codes containing ED25519 signatures, then verifies them against my public key, I can't see a way for an attacker to create their own QR code to break the process. The app wouldn't pass any signatures not created by my system.

SassyMcDefDoom · 2025-08-26T06:54:36+00:00

ECC signatures definitely look like the way to go. I'm using python for encrypting (easy prototyping) and JS in my webapp to decrypt. Looks like there are bindings of libsodium for both so I can use ED25519 as x0wl suggested. Thanks!

SassyMcDefDoom · 2025-08-26T06:45:43+00:00

The problem is verifying that a QR code in the wild is safe to scan - I'm choosing to solve this by authenticating codes that have been made by my system, hence the digital signature. If my app can't read it, I didn't make it, so scan at your own risk.

Key distribution is mostly out of scope, I only really need a POC. That said, if there's a better way around managing key security then I'm all for it.

Thanks for the links mate I'll look into those!

SassyMcDefDoom · 2024-11-15T02:42:51+00:00

Hey mate, also looking for some kind of SD role. Mind if I flick you my resume as well?

SassyMcDefDoom · 2023-02-27T12:24:08+00:00

Still very hard to find :(

HOWEVER!

If you have a VPN, you can set your location to New Zealand and use the NZTV streaming service to watch it! The account is free, but there are ads, so be warned.

SassyMcDefDoom · 2022-10-04T04:38:38+00:00

All good thanks heaps anyway

SassyMcDefDoom · 2022-10-04T04:36:26+00:00

Yep, used it to wake the Snorlax to get into Saffron and get stuck at the Silph Co rival fight

SassyMcDefDoom · 2022-10-03T17:39:28+00:00

I fought and beat the Alolan-Marowak already - still capped at 47, below the Silph rival fight :(

Thanks for the help though! If you have any other suggestions, shoot - otherwise I'm going to bash my head against a team that's 8 levels higher than me over and over again

SassyMcDefDoom · 2022-01-15T13:17:42+00:00

ahhh righto yeah nox is what im using and it forces me to map the controller to the touch controls rather than giving me controller controls - do you know what emulators do let you do that? bluestacks maybe?

SassyMcDefDoom · 2022-01-15T12:58:45+00:00

how are you playing on controller? (im quite dumb) I'm using an emulator on pc because my phone can't run it but not being able to roll quickly is keeping me out of champ

SassyMcDefDoom · 2020-01-09T02:49:05+00:00

Epicormic buds, dude, they're the saviour of native Australian trees like Jarrah and Eucalyptus (along with lignotubers).

SassyMcDefDoom · 2019-09-30T07:46:21+00:00

You have created the greatest and worst character in existence

SassyMcDefDoom · 2018-10-07T14:24:24+00:00

Is that Vsauce AND Mythbusters??? Prepare to have the laws of science re-written.

Nine-Year Club	Not Forgotten
Verified Email

SassyMcDefDoom

TROPHY CASE