Security News
New Python Packaging Proposal Aims to Solve Phantom Dependency Problem with SBOMs
PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.
passkit-generator
Advanced tools
v2.0.0 beta is now available! It introduces a lot of changes. Check it out in its new branch. Also, a migration guide has been made available. Any suggestion is well-accepted. Thank you!
This package was created with a specific architecture in mind: application and model, to split as much as possible static objects (such as logo, background, icon, etc.) from dynamic ones (translations, barcodes, serialNumber, ...).
Actually, pass creation and population doesn't fully happen within the application in runtime. Pass template is a folder in, for example, your application directory (but nothing will stop you from putting it outside), that will contain all the objects needed (static medias) and structure to make a pass work.
Pass template will be read and pushed as is in the resulting .zip file along with web-fetched medias (also considered dynamic objects), while dynamic objects will be patched against pass.json
or generated in runtime (manifest.json
, signature
and translation files).
This package comes with an API documentation, that makes available a series of methods to customize passes.
⚠ Do not rely on branches outside "master", as might not be stable and will be removed once merged.
$ npm install passkit-generator --save
The first thing you'll have to do, is to start creating a model. A model is a folder in your project directory, with inside the basic pass infos, like the thumbnails, the icon, and the background and pass.json containing all the static infos about the pass, like Team identifier, Pass type identifier, colors, etc.
Using the .pass extension is a best practice, showing that the directory is a pass package. (Build your first pass - Apple Developer Portal).
Following to this best practice, the package is set to require each model to have a .pass extension. If the extension is not specified in the configuration (as in Usage Example, at "model" key), it will be added forcefully.
$ cd yourProjectDir;
$ mkdir passModels && mkdir $_/myFirstModel.pass && cd $_;
Follow the Apple Developer documentation (Package Structure) to build a correct pass model. The icon is required in order to make the pass work. Manifest.json and signature will be automatically ignored from the model and generated in runtime.
You can also create .lproj
folders (e.g. en.lproj or it.lproj) containing localized media. To include a folder or translate texts inside the pass, please refer to Localizing Passes in the API documentation.
Create a pass.json
by taking example from examples folder models or the one provided by Apple for the first tutorial and fill it with the basic informations, that is teamIdentifier
, passTypeIdentifier
and all the other basic keys like pass type. Please refer to Top-Level Keys/Standard Keys and Top-Level Keys/Style Keys.
{
"formatVersion": 1,
"passTypeIdentifier": "pass.<bundle id>",
"teamIdentifier": "<here your team identifier>",
"organizationName": "<your organization name>",
"description": "A localizable description of your pass. To do so, put here a placeholder.",
"boardingPass": {}
}
The third step is about the developer and WWDR certificates. I suggest you to create a certificate-dedicated folder inside your working directory (e.g. ./certs
) to contain everything concerning the certificates.
This is a standard procedure: you would have to do it also without using this library. We'll use OpenSSL to complete our work (or to do it entirely, if only on terminal), so be sure to have it installed. You'll need the following three elements:
While WWDR can be obtained from Apple PKI Portal, to get the signer key
and the certificate
, you'll have to get first a Certificate Signing Request
(.certSigningRequest
file) and upload it to Apple Developers Portal, at Pass Types Identifiers (open it, it's worth it 😜).
If you don't have access to macOS (or you are a terminal enthusiast), follow these steps instead.
Create a new pass type identifier and provide it with a Name and a reverse-domain bundle id (starting with "pass."). You will put this identifier as value for passTypeIdentifier
in pass.json
file.
Confirm and register the new identifier.
Go back to the pass type identifiers, click on your new pass id and edit it.
Click "Create Certificate" button and follow the instructions until you won't download a certificate like pass.cer
. (here you'll generate the .certSigningRequest
file to be uploaded).
Open the downloaded certificate. Go in "Certificates" on left in macOS Keychain access and right-click > Export "\<certname\>"
. Choose a password (and write it down) and you will get a PKCS#12 file (.p12
).
Open terminal, place where you want to save the files and insert the following OpenSSL commands changing the contents between angular brackets. You'll have to choose a secret passphrase (and write it down) that you'll use also in the application.
# Creating and changing dir
$ mkdir "certs" && cd $_
# Extracting key and cert from pkcs12
$ openssl pkcs12 -in <cert-name>.p12 -clcerts -nokeys -out signerCert.pem -passin pass:<your-password>
$ openssl pkcs12 -in <cert-name>.p12 -nocerts -out signerKey.pem -passin pass:<your-password> -passout pass:<secret-passphrase>
Execute step 5 also for the WWDR certificate (.cer
) you downloaded from Apple PKI portal (default name: AppleWWDRCA.cer) but instead exporting it as PKCS#12 (.p12
- you'll also be unable to do that), export it as PEM (.pem
) file.
const { Pass } = require("passkit-generator");
let examplePass = new Pass({
model: "./passModels/myFirstModel",
certificates: {
wwdr: "./certs/wwdr.pem",
signerCert: "./certs/signercert.pem",
signerKey: {
keyFile: "./certs/signerkey.pem",
passphrase: "123456"
}
},
overrides: {
// keys to be added or overridden
serialNumber: "AAGH44625236dddaffbda"
},
// if true, existing keys added through methods get overwritten
// pushed in queue otherwise.
shouldOverwrite: true
});
// Adding some settings to be written inside pass.json
examplePass.localize("en", { ... });
examplePass.barcode("36478105430"); // Random value
// Generate the stream, which gets returned through a Promise
examplePass.generate()
.then(stream => {
doSomethingWithTheStream(stream);
})
.catch(err => {
doSomethingWithTheError(err);
});
If you used this package in any of your projects, feel free to open a topic in issues to tell me and include a project description or link (for companies). 😊 You'll make me feel like my time hasn't been wasted, even if it had not anyway because I learnt a lot of things by creating this.
The idea to develop this package, was born during the Apple Developer Academy 17/18, in Naples, Italy, driven by the need to create an iOS app component regarding passes generation for events.
A big thanks to all the people and friends in the Apple Developer Academy (and not) that pushed me and helped me into realizing something like this and a big thanks to the ones that helped me to make technical choices.
Any contribution, is welcome. Made with ❤️ in Italy.
FAQs
The easiest way to generate custom Apple Wallet passes in Node.js
The npm package passkit-generator receives a total of 11,169 weekly downloads. As such, passkit-generator popularity was classified as popular.
We found that passkit-generator demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.
Security News
Socket CEO Feross Aboukhadijeh discusses open source security challenges, including zero-day attacks and supply chain risks, on the Cyber Security Council podcast.
Security News
Research
Socket researchers uncover how threat actors weaponize Out-of-Band Application Security Testing (OAST) techniques across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.