[mqus]

just a pretty standard certificate hierarchy, in germany the pharmacies can sign your information (when given your paper vaccination pass) and give you a QR Code, or you get it right when you get vaccinated. Obviously those are then the weak points and afaik there are ~25 root(/revocable?) keys for germany alone. Contained in the QR code are your name, DOB and which vaccinations you already got. So the QR code is only valid together with your Photo ID.

> What I’m getting at here is how are they validating keys without leaking the keys used to sign?

Public and private keys. Pharmacies and doctors have control over private keys/keys signed by the "root" keys. The checking app has the public keys and can check if the signature of the data is valid (matches the data and the private keys).

[deanclatworthy]

This isn’t secure re: your last point. If every country in Europe has numerous private keys it’s inevitable they’re leaked and used to sign fake vaccine passes.

[mqus]

They have numerous private keys precisely because of leakage risk. In that case only one (or two) of them will get leaked (and then hopefully revoked), leaving the others intact.