If I follow this commands http://www.raywenderlich.com/20734/beginning-passbook-part-1 for signing a pass I get a different signature then if I use the passkit4j system.
Do you know if there is a way to validate the signature?

Sorry could be date related. I reopen it if it's really an issue.

That's interesting, I built a pass and had it signed by this lib, extracted manifest.json and signed it with the openssl command and I also got two different signatures, the one generated by this lib was 3238 bytes and the openssl one was 3360, but both of the signatures verify successfully. I don't know much about the inner workings of PKCS#7 detached signatures, but I trust there's a good explanation for this!

(I decided against including a verifier to the project since there isn't really a use case for verifying passes as far as I can tell, but I've posted it as a gist if you'd like to try it: https://gist.github.com/4449472 fyi: you'll need to provide it your pass certificate, not the WWDR cert)

Oh nice I was today looking for such a tool 👍