>Since .pkpass files need to be cryptographically signed with Apple's certificate, there's no way to generate them purely client-side.

Technically you could use blind signing, no?