Public key and authentication

[Strandedpirate]

When validating a signature of a license where should I be storing the public key AND how do I know that the public key is even the one I published?

For example if I distribute my public key in my assembly as a string what prevents someone from just creating their own key pair, generating their own license, creating a signature for it and then replacing my public key in my assembly with their public key?

I think there needs to be some method for ensuring that the public key is authentic. e.g. the one I published.

[dnauck]

Hello,

you can’t stop people from cracking your software! You simply can’t.

Here is a nice article on why it does not make sense to worry about:

http://blogs.balsamiq.com/product/2008/10/19/my-views-on-software-piracy/

And here about obfuscation:

http://stackoverflow.com/questions/506282/protect-net-code-from-reverse-engineering

If you still want to check if your assembly was compromised, sign it and add the signature as “AdditionalAttribute” to the license and validate it.

You can also validate the public key via web request to your website, but even this can be cracked with DNS spoofing, etc. Or the attacker simply deactivate your license check at all.

If you’ve further questions i’m happy to invite you to discuss this in here.

Kind regards, Daniel

[TechnikEmpire]

I am not meaning to be too critical and I appreciate your points. I'm on board with you as far as thinking that it's pointless to try and fight piracy. However, I believe this is way too easy. Any numbskull could follow the quickstart wiki you have and start printing licenses for all software that uses your library without any customization. At the very least, there should be some suggestion about remotely validating the license file. This way you're not handing the keys to the kingdom entirely to the client side unchecked.