alt Hacker NewsI'm not exactly sure how passes are signed, but in most digital signature schemes, you only sign the hash of the message, not the actual contents. Therefore you could conceivably do this in a privacy preserving way by only passing in the hash to be signed, which would allow the server to generate a valid signature without knowing the contents.
Apple Wallet passes use CMS signatures. you're right that only hashes are signed. but Apple requires an official Developer certificate ($99/year) with a private key that can't be exposed to browsers. for true privacy, each user would need their own cert. and defeats the "free" goal. and if you have a dev certificate it's trivial to generate one on your own machine.