I suggest trying with Xcode 15 Beta 7, it would also be great to see in your screenshot what scheme/target you are trying to build

Here's what I'm seeing in the simulator, both windows appear to be fully active and intractable at the same time

This WWDC 2023 session mentions that the format is: MV-HEVC https://developer.apple.com/videos/play/wwdc2023/10071/

If someone knows the userID, what's stopping them from registering with the targets userID...essentially taking over their account?

gosh, ignore me, I found the magic, I had to set: "rpId" in navigator.credentials.get to be the naked domain

It appears I get conflicting results, if my RP is the naked domain it works, If I visit my site with a www subdomain, auth fails :-(

aha, Signature is ASN.1, this is now valid verified = verifyingKey.verify(decodedSignature, signature_base, hashfunc=hashlib.sha256, sigdecode=sigdecode_der)

Update, this is slightly better, at least now I can see there is an issue with the signature, the authenticator is 37 bytes long, which breaks my generated signature: 32 bytes authenticator_data_bytes 32 bytes client_data_hash_bytes signature = 64 bytes I'm foolishly taking the first 32 bytes of the authenticator...seems very wrong client_data_hash = hashlib.sha256() client_data_hash.update(client_data_bytes) client_data_hash_bytes = client_data_hash.digest() key_from_dict = CoseKey.from_dict(key) publicKeyU2F = b"".join([ #bytearray.fromhex('3059301306072a8648ce3d020106082a8648ce3d030107034200'), (0x04).to_bytes(1, byteorder='big'), key_from_dict.x, key_from_dict.y ]) print("publicKeyU2F: {0}".format(publicKeyU2F)) signature_base = b"".join( [ authenticator_data_bytes[0:32], client_data_hash_bytes, ] ) print("authenticator_data_bytes len: {}".format(len(authenticator_data_bytes))) print("client_data_hash_bytes len: {}".format(len(client_data_hash_bytes))) # vk = ecdsa.VerifyingKey.from_string(publicKeyU2F, curve=ecdsa.NIST256p, hashfunc=sha256) # the default is sha1 verifyingKey = ecdsa.VerifyingKey.from_string(publicKeyU2F, curve=ecdsa.NIST256p, hashfunc=sha256) #verifyingKey = ecdsa.VerifyingKey.from_string(bytes.fromhex(keyasHex), curve=ecdsa.SECP256k1, hashfunc=sha256, valid_encodings=['raw']) verified = verifyingKey.verify(signature_base, decodedSignature) Gives a ecdsa.keys.BadSignatureError: Signature verification failed

Thanks, I'm trying to get it working with a very specific use-case to begin with, reading the spec, it reads like this should work, unfortunately, I always get a bad signature error :-( client_data_hash = hashlib.sha256() client_data_hash.update(client_data_bytes) #credentialAssertion.rawClientDataJSON client_data_hash_bytes = client_data_hash.digest() publicKey = b"".join([ (0x04).to_bytes(1, byteorder='big'), key_from_dict.x, key_from_dict.y ]) signature_base = b"".join( [ authenticator_data_bytes, #credentialAssertion.rawAuthenticatorData client_data_hash_bytes, ] ) signature_base_hash = hashlib.sha256() signature_base_hash.update(signature_base) signature_base_hash_bytes = signature_base_hash.digest() vk = ecdsa.VerifyingKey.from_string(publicKey, curve=ecdsa.NIST256p, hashfunc=sha256) # the default is sha1 sig = decodedSignature #credentialAssertion.signature decoded from base64 to bytes msg = signature_base_hash_bytes try: vk.verify(sig, msg) print("good signature") except BadSignatureError: print("BAD SIGNATURE")

I've found the key in the authData section

hmmm, as noted here: https://developer.apple.com/forums/thread/708982 the engineer states passkeys have no statement...confusing

Thanks for that, just adding for future reference, it looks like the attestation object is in CBOR format.

ah, reading the docs more, the key could be a cose key - but still, not sure how to extract it from the bytes