Chrome Passkey Invalid Signature Error WebAuthN

I have been testing Passkeys and there has been quite a few devices that can be enrolled as WebAuthN Tokens in PrivacyIDEA, including Android Passkeys,MacOS Cloud, Edge…
Unfortunately, Chrome gives the following Invalid Signature Error.
Any ideas where this goes wrong?
Has anyone successfully configured PrivacyIDEA to use Passkeys with Chrome?
It would be a huge usability gain if that was supported, too.

Traceback (most recent call last):
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/tokens/", line 1188, in verify_attestation_statement
    _verify_signature(credential_public_key, alg, verification_data, signature)
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/tokens/", line 2044, in _verify_signature
    public_key.verify(signature, data, ECDSA(SHA256()))
  File "/opt/privacyidea/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/", line 315, in verify
    _ecdsa_sig_verify(self._backend, self, signature, data)
  File "/opt/privacyidea/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/", line 122, in _ecdsa_sig_verify
    raise InvalidSignature

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/privacyidea/lib/python3.10/site-packages/flask/", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/opt/privacyidea/lib/python3.10/site-packages/flask/", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/opt/privacyidea/lib/python3.10/site-packages/flask/", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/opt/privacyidea/lib/python3.10/site-packages/flask/", line 39, in reraise
    raise value
  File "/opt/privacyidea/lib/python3.10/site-packages/flask/", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/privacyidea/lib/python3.10/site-packages/flask/", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/", line 158, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/", line 158, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/", line 158, in policy_wrapper
    return wrapped_function(*args, **kwds)
  [Previous line repeated 20 more times]
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/", line 156, in policy_wrapper
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/api/lib/", line 2055, in webauthntoken_allowed
    ) = WebAuthnRegistrationResponse.verify_attestation_statement(fmt=att_obj.get('fmt'),
  File "/opt/privacyidea/lib/python3.10/site-packages/privacyidea/lib/tokens/", line 1190, in verify_attestation_statement
    raise RegistrationRejectedException('Invalid signature received.')
privacyidea.lib.tokens.webauthn.RegistrationRejectedException: Invalid signature received.

since the signature verification failed, did you check that the signature was created with the correct key/algorithm? In this case privacyidea expected ES256.
What authenticator device are you using?

I’m not sure what algorithm ist used. I’m not using a device like a Yubikey (those work) but a Passkey created in Chrome.
In theory, this should be no different than a hardware key…
It’s a little confusing since other similar tokens (like doing the same with an iCloud Passkey or a Passkey in Edge) worked, so I expected it to work with Chrome on my Mac, too.
Can I specify the allowed algorithms in PrivacyIDEA?
Any more hints as to where the problem (bug?) could be would be appreciated.

The algorithm is contained in the public key data. In privacyidea, the algorithm identifier is verified to be valid and supported before the signature so it should match, making my previous comment useless.

It would be useful to see the data that is generated by your passkey upon registration. I dont know if it can be logged in privacyidea tho.

Your explanation makes sense
It seems there’s a bug in the webauthn module then?
I can use a chrome passkey in for example.
Should I file an issue?

You can make an issue, sure. Please include steps on how to reproduce, environment etc. It will probably take a while until somebody has the time to look into it.