>UPDATE: French & Polish authorities found no sign of cryptographic compromise in the leak of the private key used to sign the vaccine passports and to create fake passes for Mickey Mouse and Adolf Hitler, et al.

Afaik it was a leaked login, not a leak of the keys.

Shouldn't they have a record of all the things they signed?

I would expect them to know where and when that Adolf pass was generated

The keys were not leaked but the web interfaces that allowed generation of these certificates was left open and accessible.

Passes have been sold (through the clear web and the dark web) but many have also been revoked since. As far as I know, the certificates being sold right now are either someone else's certificate (for places that don't check your ID when you walk in) and certificates generated by people working for places that also give out legitimate certificates, such as some pharmacies and hospitals.

The private keys were NOT leaked.

There have been fraudulently obtained passes sold on the dark web. There have also been numerous arrests throughout the whole of Europe for this.

The vast majority of the dark-web suppliers are scammers - many of the adverts include a mix of QRs people have posted to social media and a large number of example QR. Including examples that I have generated in the past and used in presentations / on github.

Why not just charge the unvaccinated with attempted manslaughter or reckless endangerment and put them all in jail? /s

Ah yes, repeat the evil dark web narrative. As if a VPS in Russia would get you into trouble. Criminals will be criminals, also if tor etc. wouldn't exist and non-criminals wouldn't get to be anonymous, too.

They haven't been revoked yet?

Some have, but not all... yet.