Affected Version
2025.4 (pimcore/pimcore v12.3.11) — validator identical in v2026.2.3
Affected capability
Product Registration / Licensing
Steps to reproduce
- Fresh install of
pimcore/skeleton (created 2026-07-14; resolves pimcore/pimcore v12.3.11, pimcore/platform-version v2025.4).
- Run
vendor/bin/pimcore-install with a fixed --encryption-secret and --instance-identifier=pimcore-vcluster-ai. The computed instance hash is stable across runs (verified twice):
8dd7eb1f093c0ac6e1f1d46340be36eb0e1b86946ce698ec15998fd88ffbfc78
- Open the deeplink from the installer error:
https://license.pimcore.com/register?instance_identifier=pimcore-vcluster-ai&instance_hash=8dd7eb1f093c0ac6e1f1d46340be36eb0e1b86946ce698ec15998fd88ffbfc78
The form's registration_form[instance_hash] input is correctly prefilled with the full 64-character hash (verified in the served HTML).
- Submit the registration and use the issued product key with
--product-key.
Actual Behavior
The issued product key's signed payload contains an id that is only the first 17 characters of the submitted instance hash:
{"id":"8dd7eb1f093c0ac6e","timestamp":1784076495}
Pimcore\ProductRegistration\RegistrationValidator::validateProductKey() compares this id against the full 64-character hash_hmac('sha256', $instanceIdentifier, $secret) with strict equality (RegistrationValidator.php line ~77), so validation always fails:
Your hashed instance identifier does not match with your product key:
8dd7eb1f093c0ac6e vs 8dd7eb1f093c0ac6e1f1d46340be36eb0e1b86946ce698ec15998fd88ffbfc78
Reproduced three times today (2026-07-14/15) with three separate registrations (different hashes); every issued key embedded exactly the first 17 characters of the submitted hash. Since the id is inside the signed payload, no client-side workaround exists.
Either license.pimcore.com is truncating the instance hash when generating the signed payload, or the validator should compare against the truncated form — currently the portal and the validator disagree, which makes fresh installs impossible to register.
Expected Behavior
The issued key's payload id equals the full 64-character instance hash (or the validator accepts the portal's issued format), so that a correctly registered key passes validateProductKey().
Affected Version
2025.4 (pimcore/pimcore v12.3.11) — validator identical in v2026.2.3
Affected capability
Product Registration / Licensing
Steps to reproduce
pimcore/skeleton(created 2026-07-14; resolvespimcore/pimcorev12.3.11,pimcore/platform-versionv2025.4).vendor/bin/pimcore-installwith a fixed--encryption-secretand--instance-identifier=pimcore-vcluster-ai. The computed instance hash is stable across runs (verified twice):8dd7eb1f093c0ac6e1f1d46340be36eb0e1b86946ce698ec15998fd88ffbfc78https://license.pimcore.com/register?instance_identifier=pimcore-vcluster-ai&instance_hash=8dd7eb1f093c0ac6e1f1d46340be36eb0e1b86946ce698ec15998fd88ffbfc78The form's
registration_form[instance_hash]input is correctly prefilled with the full 64-character hash (verified in the served HTML).--product-key.Actual Behavior
The issued product key's signed payload contains an
idthat is only the first 17 characters of the submitted instance hash:{"id":"8dd7eb1f093c0ac6e","timestamp":1784076495}Pimcore\ProductRegistration\RegistrationValidator::validateProductKey()compares thisidagainst the full 64-characterhash_hmac('sha256', $instanceIdentifier, $secret)with strict equality (RegistrationValidator.phpline ~77), so validation always fails:Reproduced three times today (2026-07-14/15) with three separate registrations (different hashes); every issued key embedded exactly the first 17 characters of the submitted hash. Since the id is inside the signed payload, no client-side workaround exists.
Either license.pimcore.com is truncating the instance hash when generating the signed payload, or the validator should compare against the truncated form — currently the portal and the validator disagree, which makes fresh installs impossible to register.
Expected Behavior
The issued key's payload
idequals the full 64-character instance hash (or the validator accepts the portal's issued format), so that a correctly registered key passesvalidateProductKey().