Skip to content

License portal issues product keys with instance hash truncated to 17 chars — RegistrationValidator always rejects them #205

Description

@scott-lingble

Affected Version

2025.4 (pimcore/pimcore v12.3.11) — validator identical in v2026.2.3

Affected capability

Product Registration / Licensing

Steps to reproduce

  1. Fresh install of pimcore/skeleton (created 2026-07-14; resolves pimcore/pimcore v12.3.11, pimcore/platform-version v2025.4).
  2. Run vendor/bin/pimcore-install with a fixed --encryption-secret and --instance-identifier=pimcore-vcluster-ai. The computed instance hash is stable across runs (verified twice):
    8dd7eb1f093c0ac6e1f1d46340be36eb0e1b86946ce698ec15998fd88ffbfc78
  3. Open the deeplink from the installer error:
    https://license.pimcore.com/register?instance_identifier=pimcore-vcluster-ai&instance_hash=8dd7eb1f093c0ac6e1f1d46340be36eb0e1b86946ce698ec15998fd88ffbfc78
    The form's registration_form[instance_hash] input is correctly prefilled with the full 64-character hash (verified in the served HTML).
  4. Submit the registration and use the issued product key with --product-key.

Actual Behavior

The issued product key's signed payload contains an id that is only the first 17 characters of the submitted instance hash:

{"id":"8dd7eb1f093c0ac6e","timestamp":1784076495}

Pimcore\ProductRegistration\RegistrationValidator::validateProductKey() compares this id against the full 64-character hash_hmac('sha256', $instanceIdentifier, $secret) with strict equality (RegistrationValidator.php line ~77), so validation always fails:

Your hashed instance identifier does not match with your product key:
8dd7eb1f093c0ac6e vs 8dd7eb1f093c0ac6e1f1d46340be36eb0e1b86946ce698ec15998fd88ffbfc78

Reproduced three times today (2026-07-14/15) with three separate registrations (different hashes); every issued key embedded exactly the first 17 characters of the submitted hash. Since the id is inside the signed payload, no client-side workaround exists.

Either license.pimcore.com is truncating the instance hash when generating the signed payload, or the validator should compare against the truncated form — currently the portal and the validator disagree, which makes fresh installs impossible to register.

Expected Behavior

The issued key's payload id equals the full 64-character instance hash (or the validator accepts the portal's issued format), so that a correctly registered key passes validateProductKey().

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    Affected capability

    None yet

    Platform Version

    None yet

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions