diff --git a/go/cmd/passkey-verify/passkey-verify.go b/go/cmd/passkey-verify/passkey-verify.go
index d2a94c6..7893b47 100644
--- a/go/cmd/passkey-verify/passkey-verify.go
+++ b/go/cmd/passkey-verify/passkey-verify.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"crypto/ecdsa"
+	"crypto/sha256"
 	"flag"
 	"fmt"
 	"log"
@@ -121,9 +122,10 @@ func main() {
 
 		// TODO decode CBOR data
 
+		message := sha256.Sum256(assertion.Response.AttToBeSigned)
 		verified := ecdsa.VerifyASN1(
 			registration.Response.PublicKeyECDSA,
-			assertion.Response.VerifiableBytes,
+			message[:],
 			assertion.Response.Signature,
 		)
 		if !verified {
diff --git a/go/passkey/passkey.go b/go/passkey/passkey.go
index d60b836..21c3842 100644
--- a/go/passkey/passkey.go
+++ b/go/passkey/passkey.go
@@ -103,7 +103,7 @@ type Assertion struct {
 		ClientDataJSON       RawURLBase64       `json:"clientDataJSON"`
 		ClientData           ClientData         `json:"-"`
 		Signature            RawURLBase64       `json:"signature"`
-		VerifiableBytes      []byte             `json:"-"`
+		AttToBeSigned        []byte             `json:"-"`
 	} `json:"response"`
 }
 
@@ -118,10 +118,7 @@ func ParseAssertion(credentialRequestResponse []byte) (*Assertion, error) {
 	}
 
 	clientDataHash := sha256.Sum256(credReq.Response.ClientDataJSON)
-	verifiableData := append(credReq.Response.AuthenticatorDataRaw, clientDataHash[:]...)
-	// each algo specifies the SHA-xxx hash in its name
-	// exception: SHA512 used for EDDSA
-	verifiableHash := sha256.Sum256(verifiableData)
+	attToBeSigned := append(credReq.Response.AuthenticatorDataRaw, clientDataHash[:]...)
 
 	var err error
 	credReq.Response.AuthenticatorData, err = ParseAuthenticatorData(credReq.Response.AuthenticatorDataRaw)
@@ -129,7 +126,7 @@ func ParseAssertion(credentialRequestResponse []byte) (*Assertion, error) {
 		return nil, err
 	}
 
-	credReq.Response.VerifiableBytes = verifiableHash[:]
+	credReq.Response.AttToBeSigned = attToBeSigned
 
 	return credReq, nil
 }