RSA/ECB/PKCS1Padding is used.
Unless somebody finds for example collision for public key bellow QR will probably not be possible to be faked properly (and they would easily change it in new versions too !).
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1AY0/6cxMwi+i1u5f/m8 H91vvhQAQfUdPJjqSuerN9sjOzt6hD/8iUq0fELh4ZkES1YUf+ygzfWdewIRRNsn YXQcWEY02wPelqxmzWv1JPskCgKwkNPpiFxO8phLnJTts9xRwLDs2W2Y0zrf7EWD tpHaTuDASy8ipMo9fect7t3epN48A2//K9iA1y+5e0bUtxRba2lVf6x7VBMbXlrx qsjaeC72J1mjs3flGGoINhHtVZF6g4YhJkRAhqX2IsNPRJa6yRCKXKm2anDeFoLI BtgIym6oERdTtUAWK05U1ozgjC24mOIIpqQOAqdvatq0dhFRWPL2hBjoJwc8JxHN
-----END PUBLIC KEY-----
those above is current public key found by specialists in Polish app decoding it.I don't know how in the rest of EU,but probably that would be somehow compatible,maybe using even the same keys.
Encrypt with private key (unknown) data in format:
Where: 12345678 is "vaccine" number (id),
1 is "resource version" (immunization),
dates are "vaccination" dates,
Name is Name,
15-12 is example birth date without year.
X is Surname first char.
10 is probably one of "vaccine" types.
Write version of app encoding by number - now 1 and give ";" + Encode encrypted data using base64 encoding. Code into QR.
Simply main problem for better forging it is private key or generating collision on it.
Probably some codes for now would be vulnerable if someone has the same name and first letter of surname by simply copying those shit from "vaccinated" person but anyway this shit would be more problematic that those CDC cards in USA :(