Custom signed/encrypted per-user payload?

I’m looking for a way of doing something similar to what e.g. nintendo did with their “you have a secret cartridge serial code that’s checked by the game” (such as the Eon ticket distribution in pokemon OR:AS where a certain number of people, depending on their serial codes, got an item and could then share it, to promote the multiplayer portion of the game).

my idea being to make a tiny signed/encrypted .pak file (or other file that’s signed in a way UE can verify, probably easier than building a whole .pak each time) that essentially just contains a single UUID or similar, that can be very easily created whenever a game is bought, and added to the download the user receives.

then i’d have the game’s code verify the signature’s authenticity and retreive that tiny bit of data to uniquely identify the download.

the issue is i have no idea how the UE crypto stuff actually works, the only info i can find is “tick this checkbox to enable pak signing” (and a bunch of stuff on how appstore signature keys work, which is completely unrelated), not how to actually create and verify the signature on a specific pak outside of the “main” packaging process, or how to use the crypto module to verify a signature on another kind of file (i know it uses SSL so it’d be probably way cheaper to just make a signature using openssl than actually run the whole unrealpak process each time, but i have no idea how that then would be interfaced with from within UE)

ideally i’d have something like HTTPS would do and actually verify the certificate chain/authority, so i could have a signed cert on each of my download servers, and one master key which gets checked against