Mattermost license files are just json files with a 256 byte signature appended to it, with the whole thing being base64 encoded. The signature is generated by Mattermost by taking the json object and signing it with their own 2048-bit RSA private key. The public key is included inside your binary to verify the signature.

What this patch does is invert a single if statement within the license verification code.

err = rsa.VerifyPKCS1v15(rsaPublic, crypto.SHA512, d, signature)
if err != nil {
	return "", fmt.Errorf("Invalid signature: %w", err)
}

return string(plaintext), nil

Instead of dismissing invalid signatures and erroring out, your patched binary will allow invalid signatures, and errors out on valid ones. This allows you to upload your own licenses with any features you want.

Step 1

The first step is to patch the original Mattermost binary shipped with the enterprise edition.

If you're running on bare metal, all you need to do is run the patch.sh script and give it the path to your Mattermost binary: ./patch.sh /path/to/mattermost/binary

If you're running a docker build, you can either:

Copy the binary out of the container, apply the patch, then mount the binary back into the container
- Start the Mattermost container
- Run docker cp <container-id>:/mattermost/bin/mattermost ./mattermost to copy the binary to the host
- Apply the patch with ./patch.sh ./mattermost
- Change your docker-compose.yml or docker run command to mount the patched binary into the container
```
...
mattermost:
  ...
  volumes:
  ...
  - ./mattermost:/mattermost/bin/mattermost
...
```

Create your own docker image by taking the original image and applying the patch

FROM mattermost/mattermost-enterprise-edition:release-11 AS original

FROM alpine:latest AS patcher
RUN apk add --no-cache bash xxd grep

COPY --from=original /mattermost/bin/mattermost /mattermost

COPY patch.sh /tmp/patch.sh
RUN chmod +x /tmp/patch.sh && /tmp/patch.sh /mattermost

FROM mattermost/mattermost-enterprise-edition:release-11
COPY --from=patcher --chown=2000:2000 /mattermost /mattermost/bin/mattermost

Either build that image yourself or through CI, tag it, then replace the image in your docker-compose.yml config
Or specify the build directly inside your docker-compose.yml

Step 2

Once you have your patched binary up and running, you can now upload license files that were not signed by Mattermost. This means that you can create your own license, or use the license file inside of this repository.

If you want to create your own license, you can modify the example.json file and customize it to your liking. By default, it enables all features and gives you an Enterprise Advanced license. You can specify any customer details you want.

Make sure to use IDs consisting of exactly 26 characters of only letters and numbers [A-Za-z0-9].

The 256 x's at the end of the json object is the signature. Since the patched binary now allows invalid signatures, you can put whatever you want in here, or leave it as is. Just make sure that the signature comes right after the json object and is exactly 256 characters in length.

Once you have made your changes to the example.json file, you need to encode it as base64. You can use online tools, or use your locally installed ones. Save the base64 encoded string as a file ending with .mattermost-license, such as license.mattermost-license.

You can now upload your license in your system console or your environment variables, and you should have yourself an unlocked Mattermost instance up and running.

Important Note

If you are not using your own image that is built upon bringing your container up or have automated the process, you will have to repeat the steps to patch the binary on every update. You will not have to create or upload new licenses.