ticktrace
// public key

Verify offline.

Every ticktrace commercial license certificate is signed with the Ed25519 private key Amken LLC controls. The corresponding public key is published below so you can verify any certificate without contacting our servers.

ticktrace-licensing-ed25519.pubtext
-----BEGIN PUBLIC KEY-----
(set NEXT_PUBLIC_LICENSE_PUBLIC_KEY at build time)
-----END PUBLIC KEY-----```

// verify with openssl

The signed payload at the bottom of every certificate is a base64 Ed25519 signature over the canonical license JSON. To verify with the OpenSSL CLI:

verify.shbash
# 1. Save the canonical license JSON (everything between
#    "BEGIN CANONICAL LICENSE" and "END CANONICAL LICENSE") to license.json
# 2. Save the base64 signature to license.sig.b64
# 3. Run:

openssl base64 -d -in license.sig.b64 -out license.sig
openssl pkeyutl -verify \
  -pubin -inkey ticktrace-licensing-ed25519.pub \
  -rawin -in license.json \
  -sigfile license.sig```

// verify in node

verify.mjsjs
import { createPublicKey, verify } from 'node:crypto';
import { readFileSync } from 'node:fs';

const pub = createPublicKey({
  key: readFileSync('ticktrace-licensing-ed25519.pub'),
  format: 'pem',
});
const payload = readFileSync('license.json');
const sig = Buffer.from(readFileSync('license.sig.b64', 'utf8').trim(), 'base64');

const ok = verify(null, payload, pub, sig);
console.log(ok ? 'valid' : 'INVALID');```

// key rotation

If we rotate the signing key, we will publish both the retired and current public keys on this page along with the rotation date. Certificates issued before the rotation continue to verify against the retired key. Subscribers will receive a re-signed certificate with the new key on their next renewal.