Does Apple allow packed format attestation in passkey credential provider approach?

I am trying to implement a third party passkey credential provider and I have been able to successfully setup the project for that. Below is a sample code which I am using -

let passkeyRegistrationCredential = ASPasskeyRegistrationCredential(relyingParty: self.request?.credentialIdentity.serviceIdentifier.identifier ?? "", clientDataHash: self.request?.clientDataHash ?? Data(), credentialID: Data(credentialId), attestationObject: Data(attestationBytes)

self.extensionContext.completeRegistrationRequest(using: passkeyRegistrationCredential)

The attestationBytes object that I am generating and sending back to RP seems to work only if I set the "fmt" to "none", which basically requires "attStmt" to be sent as an empty value as per WebAuthn spec - https://www.w3.org/TR/webauthn-2/#sctn-none-attestation

When trying to set the "fmt" to "packed" in attestation object and creating a self signed "attStmt" consisting of "alg" and "sig" key-values referring - https://www.w3.org/TR/webauthn-2/#sctn-packed-attestation, it does not seem to work. The RP throws an error. I do not have "x5c" object as that supposedly is not mandatory in case of self attestation. I have "authData" also as part of the response properly setup.

Is it not possible to use packed attestation or am I missing something in creating the attestation object? Also, does Apple modify the response being sent in the background before sending to RP if packed fmt is used?

Attestation for passkeys isn't defined in the spec yet. The existing attestation formats were designed before credentials could sync, and they don't really make sense in a syncing credential world. For example, you can't meaningfully attest to security properties of a device when that device can change over time.

Defining attestation formats for passkeys is currently being worked on in the FIDO Alliance.

Hi,

Have there been any new developments with this? Understand the design of having the none attestation to enable the credential syncing, but in a world where we 'want' to restrict passkeys to the device, having the attestation for passkeys provides the extra integrity.

Does Apple allow packed format attestation in passkey credential provider approach?
 
 
Q