Technical Notes
Information for developers.
Platform
Libraree Cards was written using Svelte in Typescript. The code is available in the Libraree GitHub project within the cards folder.
It relies on Quagga2 for scanning barcodes and bwip-js for generating barcode images.
Apple Wallet cards are issued and signed by me, Chris Wood, using a certificate associated with my Apple Developer account. The server-side signing process happens within an Azure Function written in Node.
Card Signing Approach
This is a more technical write-up of the information found on the Privacy page and explains how a card can be generated and signed without sharing the library card number with the Libraree server.
The Apple Wallet card is generated as follows:
Create a pass.json file containing the library card number, cardholder name, colour schemes, etc.
Create two barcode PNG images using bwip-js (one for @1X resolutions and one for @2X resolutions).
Calculate the SHA1 hashes of pass.json, strip.png and [email protected] .
Send the SHA1 hashes and the library code (e.g. E10000017 for Lancashire) to the Azure Function.
Create a zip archive containing a logo PNG image and two icon PNG images (one for @1X resolutions and one for @2X resolutions).
Calculate the SHA1 hashes of logo.png, icon.png and [email protected] .
Combine the phone hashes and server hashes into one list and use these together with the Apple Developer certificate to create a detached SHA1 signature file.
Add the detached signature file to the zip archive.
Return the binary of the zip archive to the phone with a content type of application/vnd.apple.pkpass .
Receive the pkpass archive.
Using the binary stream as a zip archive, add pass.json, strip.png and [email protected] to it.
Make the binary of the modified pkpass file available as a download.
Part of the reason for processing logos and icons on the server is so to deter people from using the Libraree API as a generic card-signing function using my Apple Developer certificate. If somebody does attempt to do that, they'll be forced to use the logos of a library service, which is probably unappealing to most unscrupulous characters!
Last updated