>Apple Wallet passes use CMS signatures. you're right that only hashes are signed. but Apple requires an official Developer certificate ($99/year) with a private key that can't be exposed to browsers.

Why can't the browser send the hash to the server for signing?