Verify license field and value

Hello, I have a requirement to verify license signature offline (with license only without replicated pod) while startign the app,
is there any way to verify the signature and verify specific field ?

let say I have below license and wanted to check if v8_engine_max_core has correct value and no tampering with that field.

apiVersion: kots.io/v1beta1
kind: License
metadata:
  name: 
spec:
  appSlug: ..
  channelID: ..
  channelName: Alpha
...
  customerEmail: ..
  customerName: ..
  endpoint: 
  entitlements:
    deployment:
      isHidden: true
      signature: {}
      title: Deployment Type (saas/onprem)
      value: onprem
      valueType: String
    v8_engine_max_core:
      isHidden: true
      signature: {}
      title: Maximum allowed VCPU for V8 engine
      value: 96
      valueType: Integer
  licenseID: **
  licenseSequence: 
  licenseType: dev
  replicatedProxyDomain: 
  signature: MWMzUnZiV1Z5UlcxaGFXd2lPaUp0WVhsMWNpNXdRSFJ2Y21GdVlXbHVZeTVqYjIwaU***

I am refrerring to Verifying License Field Signatures with the Replicated SDK API (Beta) | Replicated Docs

but not sure whats the message you are referring to ? is it full license or any specific field? do you have any sample ? and How can I get the signature of specific field in license ?

import * as crypto from 'crypto';

function verifySignature(message: string, signature: string, publicKeyPEM: string): boolean {
    const encodedMessage: Uint8Array = new TextEncoder().encode(message);
    const publicKey: crypto.KeyObject = crypto.createPublicKey({ key: publicKeyPEM });
    const decodedSignature: Buffer = Buffer.from(signature, 'base64');

    return crypto.verify(
    'md5',
    encodedMessage,
    {
        key: publicKey,
        padding: crypto.constants.RSA_PKCS1_PSS_PADDING
    },
    decodedSignature);
}

function main() {
    const message = `<value>`
    const signature = `<signature>`
    const publicKeyPEM =  `<public-key-pem>`

    if (!verifySignature(message, signature, publicKeyPEM)) {
        console.log("Invalid signature");
        return;
    }

    console.log("Signature is valid!");
}

main();

The article you linked to is specifically for Replicated SDK API documented here. That is the API that will sign license fields.

The license file itself has one global signature for the entire file (which includes license fields). There is no documentation for validating this signature, but the code that does validation is public and can be found here

Hi @dmuley, I have some code, written in Go, that handles this as an init container or a sidecar.

It currently has my public key hardcoded, but you should be able to fork and build for your use case.