Re: licence key validation method
Re: licence key validation method
- Subject: Re: licence key validation method
- From: Roland King <email@hidden>
- Date: Mon, 12 Jan 2015 19:44:06 +0800
> On 12 Jan 2015, at 17:52, 2551 <email@hidden> wrote:
>
>
>> On 12 Jan 2015, at 03:59, Charles Srstka <email@hidden> wrote:
>>
>> After all, you’re going to want some sort of automatic system for generating license codes for your users,
>
> Actually, no. As I said, the licence codes are being generated via FastSpring (and that's OpenSSL). All I need is a method to validate the code the user enters. My public key is in the app (it was as a certificate, but following Uli's advice I've hard wired the pubkey into the code instead).
>
> Now, I really appreciate the offerings that have been made so far, I can't emphasize that enough, and I've got a bit of a clearer understanding as a result, but I have to say all this "use OpenSSL" "no use LibreSSL", "use Security.framework", "don't use Security.framework" is more or less a repetition of the advice I gleaned from working round the stackexchange etc threads; i.e., I'm none the wiser.
>
> How do I actually start writing the method that's going to check the validity of the licence key (that's the licence code I already have, that I don't need to know how to generate, and that I've included the public key for in my app)? Allan has offered the most practical advice so far, but even he says "don't use OpenSSL", and that was 10 years ago...
>
> I spent all of yesterday, as it turned out, working on the logic of my 30-day trial (oh, boy did that turn out to be harder than I imagined, but fun all the same...), so I'm still to put all the advice given so far to practical use. However, here's a new question that's been raised by your suggestions:
>
> Given that my licences are being generated with OpenSSL in the FastSpring website, does that mean I HAVE TO use OpenSSL to validate them? I'm thinking the "DUH" answer here has to be "YES", but given my lack of knowledge about this topic, I'm taking nothing for granted.
>
> I'm also kind of surprised, given how popular non-App Store distribution seems to be becoming (at least, my purely anecdotal impression is that more OS X developers are choosing to forego or at least parallel-offer their apps outside of the App Store than 12 or 24 months ago), that there isn't a drop-and-go solution to all this licensing and trial mode logic (or at least one that has been updated in the last 5 years, that is).
>
> Does everyone really work all this out from scratch, as I seem to be doing? (And when I do, rest assured I'm going to write this up for others). I'm quite happy to put the time and effort into figuring this whole thing out from scratch if that's what's required, it's just that I don't want to invent my own wobbly wheel if someone else has already figured out how to make a nice smooth ride of it (I did that with updates, only to discover Sparkle after I'd already written my own homegrown solution...).
>
> Your thoughts, as always, are greatly appreciated.
>
>
> Phil
>
Part of the problem, at least for me, is I haven’t figured out yet what you actually have that you’re trying to verify. Is it a string, a file, a binary blob of data or what? I just took a look at the Fastspring site, knowing nothing about them, and as far as I’ve been able to tell at this point they generate license keys in various formats with the expectation they will be used by code which links a library which knows that format. They mention AquaticPrime and CocoaFob and others. I’m assuming that each of those libraries defines a format, defines what ‘signing’ means and defines what data you get when something has been signed. Normally you’d link one of those, ask for your license keys to be generated in that particular format and call some few lines of code in the library to verify it.
You said in your first mail that you have DSA key generation set up. I didn’t see anything on Fastspring’s website named 'DSA key generation'. I know what a DSA key is, I know how to use a DSA key to sign/verify something, that doesn’t say anything however about what data is being signed and what format you’re getting it in.
No you don’t have to use OpenSSH just because they use OpenSSH. OpenSSH is just one implementation of a number of well-defined and well-known algorithms.
What type of key have you asked Fastspring to generate for you?
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden