我最终使用 Xml 数字签名 来签署许可证文件应用程序的私钥,永远不会分发给用户。结果:您在目标计算机上有一个 .LIC 或 .LICX 文件,用户可以读取该文件(它是纯文本,除了封装的签名)但不能修改。 (或者更确切地说,如果您不知道他们已经修改了它,他们就无法修改它。)这个小文件是整个系统的关键。
当应用程序加载时,它会验证 XML 签名是否有效(使用应用程序的公钥,随应用程序一起分发),如果有效,它会从许可证文件中读取信息,并据此启用/禁用某些功能。例如,您的许可证文件可能包含产品到期日期或一些独特的机器信息(始终小心,不要因此给您的合法用户带来不便......您不希望他们必须重新申请许可证每次更换硬盘驱动器时都会生成密钥)。
I can tell you how I do it. Disclaimer: your mileage may vary. This is for the case of preventing casual piracy of a simple WinForms or WPF or other desktop app. It's not particularly robust or secure against sophisticated cracking, but it does a great job of preventing casual piracy.
For licensing, I tried several 3rd party solutions. They're all fairly easy to use for the nominal case of preventing casual piracy, which of course if the only piracy you should really be concerned about.
What I found was that none of the licensing providers were really compatible with the existing payment processors / gateways. There are a few "all-in-one" solutions but the level of technical debt there was unacceptable to me (a freelancer and sole developer). I was looking for a simple way to go from a "Buy Now" link on a website to unlocking the desktop software after purchase. Some of the existing "all-in-one" solutions are overkill for this purpose, some ignore the "purchase" aspect entirely.
I ended up using Xml Digital Signatures to sign license files with the application's private key, which is never distributed to users. The result: you have a .LIC or .LICX file on the target machine that users can read (it's plain text, except for the enveloped signature) but not modify. (Or rather, they can't modify it without you knowing they've modified it.) This little file is the key to the whole system.
When the application loads, it verifies that the XML signature is valid (using the application's public key, which is distributed with the app) and if it's valid, it reads the information from the license file, and enables/disables certain features based on that. For example, your license file could contain a product expiration date, or a couple pieces of unique machine info (be careful, always, not to inconvenience your legit users with this...you don't want them to have to reapply for license keys every time they change out a hard drive).
As an additional (and slightly more invasive) step, you can have the app connect to your server, though this gets you into server downtime issues and so forth and so on. Some devs are willing to put up with this, others aren't.
Now for the purchase part, there are many many options. Paypal is far and away the easiest. You may or may not like their rate plans, but it's an absolute cinch to get up and running with Paypal.
For that you want a Premier or Business account, not a Personal account. Note: in the Paypal docs it sometimes says you need a Paypal Business account. Whenever they say that, they actually mean, "a Paypal Business or Premier account".
Now get yourself a product website and customize your Buy Now buttons etc. When the user makes a purchase, your website will receive a ping from Paypal IPN, which is their notification service. This ping is just a call to a defined HTTP endpoint on your website, and it contains all the information you'll want about the purchase. Mainly, the user's email...
(Okay, I feel like I should mention: Paypal along with most other legit processors have a "sandbox" where you can test all this out before going live. Does wonders towards giving you the warm fuzzy about actually going live, with money on the line.)
Which you'll use to auto-send the user an Activation Code after purchase, so they don't have to wait 24 hours for you to manually send them a code. Store this activation code (which under this scenario can be any unique, difficult-to-guess number, such as a GUID, prettified or not) in the DB with a usage count which you'll track to detect duplicate codes.
The user enters the Activation Code into the software, via a screen you provide.
The software contacts the server over https (this is a one-time thing that happens only when the software is unlocked), and says, "hey, is this license code the user just gave me valid?"
If the supplied activation code matches the code stored in the database at the time of sale, and that activation code hasn't yet been confirmed, then Success!
The server then needs to build the license file, which is an extremely simple XML or text file containing "what this copy of the software is allowed to do". There's no standard for what it should contain, only a few conventions.
The server signs the license file with the application's private key and returns it as a data stream to your application...
Which saves it as a .LIC or .LICX (or whatever extension you want) file, which it then checks on load time as per Step 3.
This has worked really well for me, and it's a cinch to implement. The key to the whole thing is simply: trust those XML DSigs. When the LIC file is missing, you default to trial mode. When the sig is modified, you switch to trial mode. Only when the LIC file is present, validly signed, and contains the right information, do you then (in code) open up access to "full" functionality.
Also, interperse more than one license-check point in your code. I do one at app startup, another at idle, and another just before entering key functional areas. So if someone does reverse the code, and they can, they'll at least have to do a bit of searching to gut all the license checks. Of course, nothing you can do can prevent people from patching their way around those checks. You just want to make it a bit more difficult.
If you want to do it correctly, I would honestly have to recommend buying a trusted third party solution for both of these things. There are several licensing packages out there for .Net (we use Desaware for our products, although I haven't directly worked with them that much so I couldn't give a detailed recommendation. It seems simple enough for what I've been exposed to). No fuss, no bugs, and the payoff in the long term is huge in terms of time saved.
Third party payment services can handle online credit card transactions for you, and there's always PayPal as well. Google for "how to accept credit card payments on the web" and you'll come up with endless merchant solution providers.
If you'd rather spend the time to build a licensing system yourself, this StackOverflow thread is a pretty good resource on the various aspects to consider.
您需要对 . NET 应用程序。有数百种选择,从非常便宜的(以及有关如何推出自己的文章)到非常强大的商业工具。
You'll want to use some form of Software Projection and Licensing for .NET applications. There are hundreds of options out there, from very inexpensive (and articles for how to roll your own) to very robust commercial tools.
您可以考虑CryptoLicensing For .Net - 它提供了完整版和试用版的选项(使用天数、唯一使用天数、执行情况等)。它还配备了即用型许可证服务器以及用于 paypal、shareit、plimus 等的电子商务集成商。
You can consider CryptoLicensing For .Net - it provides options for full as well as trial (usage days, unique usage days, executions, etc). It also comes with ready-to-use license server with e-commerce integrators for paypal, shareit, plimus, etc.
发布评论
评论(4)
我可以告诉你我是怎么做的。免责声明:您的里程可能会有所不同。这是为了防止简单的 WinForms 或 WPF 或其他桌面应用程序的随意盗版。它对于复杂的破解来说并不是特别强大或安全,但它在防止随意盗版方面做得很好。
对于许可,我尝试了几种第三方解决方案。对于防止偶然盗版的名义情况来说,它们都相当容易使用,当然,如果这是您真正应该担心的唯一盗版。
我发现没有一个许可提供商与现有的支付处理器/网关真正兼容。有一些“一体化”解决方案,但技术债务水平对我(自由职业者和唯一开发人员)来说是不可接受的。我一直在寻找一种简单的方法,从网站上的“立即购买”链接到购买后解锁桌面软件。一些现有的“一体式”解决方案对于此目的来说太过分了,有些解决方案完全忽略了“购买”方面。
我最终使用 Xml 数字签名 来签署许可证文件应用程序的私钥,永远不会分发给用户。结果:您在目标计算机上有一个 .LIC 或 .LICX 文件,用户可以读取该文件(它是纯文本,除了封装的签名)但不能修改。 (或者更确切地说,如果您不知道他们已经修改了它,他们就无法修改它。)这个小文件是整个系统的关键。
当应用程序加载时,它会验证 XML 签名是否有效(使用应用程序的公钥,随应用程序一起分发),如果有效,它会从许可证文件中读取信息,并据此启用/禁用某些功能。例如,您的许可证文件可能包含产品到期日期或一些独特的机器信息(始终小心,不要因此给您的合法用户带来不便......您不希望他们必须重新申请许可证每次更换硬盘驱动器时都会生成密钥)。
作为一个额外的(稍微更具侵入性的)步骤,您可以让应用程序连接到您的服务器,尽管这会让您遇到服务器停机问题等等。一些开发人员愿意忍受这一点,而其他开发人员则不愿意。
现在对于购买部分,有很多很多选择。 Paypal 无疑是最简单的。您可能喜欢也可能不喜欢他们的费率计划,但使用 Paypal 启动和运行绝对是轻而易举的事情。
为此,您需要高级帐户或企业帐户,而不是个人帐户。注意:在 Paypal 文档中,有时会说您需要一个 Paypal 企业帐户。每当他们这么说时,他们实际上的意思是“Paypal Business 或 Premier 帐户”。
现在为自己建立一个产品网站并自定义“立即购买”按钮等。当用户购买时,您的网站将收到来自 Paypal IPN,这是他们的通知服务。此 ping 只是对您网站上定义的 HTTP 端点的调用,它包含您需要的有关购买的所有信息。主要是用户的电子邮件...
(好吧,我觉得我应该提一下:Paypal 以及大多数其他合法处理商都有一个“沙箱”,您可以在上线之前测试所有这些内容。这会给您带来奇迹吗?对于实际上线的感觉很模糊,而且还需要钱。)
您将使用它在购买后自动向用户发送激活码,这样他们就不必等待 24您手动向他们发送代码的时间。将此激活代码(在这种情况下可以是任何唯一的、难以猜测的数字,例如 GUID,无论是否经过美化)存储在数据库中,并使用您将跟踪的使用计数来检测重复的代码。
用户通过您提供的屏幕将激活码输入到软件中。
该软件通过 https 与服务器联系(这是一次性的事情,仅在软件解锁时才会发生),并说:“嘿,用户刚刚给我的这个许可证代码有效吗?”
如果提供的激活码与销售时存储在数据库中的代码匹配,并且该激活码尚未得到确认,则成功!
然后,服务器需要构建许可证文件,这是一个极其简单的 XML 或文本文件,其中包含“允许该软件副本执行的操作”。对于它应该包含的内容没有标准,只有一些约定。
服务器使用应用程序的私钥对许可证文件进行签名并将其作为数据流返回到您的应用程序...
将其保存为 .LIC 或 .LICX(或您想要的任何扩展名)文件,然后根据加载时间检查该文件步骤 3.
这对我来说非常有效,而且很简单来实施。整个事情的关键很简单:信任那些 XML DSig。当 LIC 文件丢失时,您默认为试用模式。修改签名后,您将切换到试用模式。只有当 LIC 文件存在、经过有效签名并包含正确信息时,您才能(在代码中)开放对“完整”功能的访问。
另外,在代码中插入多个许可证检查点。我在应用程序启动时执行一个操作,在空闲时执行另一个操作,在进入关键功能区域之前执行另一个操作。因此,如果有人确实逆转了代码(而且他们可以),那么他们至少需要进行一些搜索以清除所有许可证检查。当然,你无法阻止人们绕过这些检查。你只是想让事情变得更困难一点。
I can tell you how I do it. Disclaimer: your mileage may vary. This is for the case of preventing casual piracy of a simple WinForms or WPF or other desktop app. It's not particularly robust or secure against sophisticated cracking, but it does a great job of preventing casual piracy.
For licensing, I tried several 3rd party solutions. They're all fairly easy to use for the nominal case of preventing casual piracy, which of course if the only piracy you should really be concerned about.
What I found was that none of the licensing providers were really compatible with the existing payment processors / gateways. There are a few "all-in-one" solutions but the level of technical debt there was unacceptable to me (a freelancer and sole developer). I was looking for a simple way to go from a "Buy Now" link on a website to unlocking the desktop software after purchase. Some of the existing "all-in-one" solutions are overkill for this purpose, some ignore the "purchase" aspect entirely.
I ended up using Xml Digital Signatures to sign license files with the application's private key, which is never distributed to users. The result: you have a .LIC or .LICX file on the target machine that users can read (it's plain text, except for the enveloped signature) but not modify. (Or rather, they can't modify it without you knowing they've modified it.) This little file is the key to the whole system.
When the application loads, it verifies that the XML signature is valid (using the application's public key, which is distributed with the app) and if it's valid, it reads the information from the license file, and enables/disables certain features based on that. For example, your license file could contain a product expiration date, or a couple pieces of unique machine info (be careful, always, not to inconvenience your legit users with this...you don't want them to have to reapply for license keys every time they change out a hard drive).
As an additional (and slightly more invasive) step, you can have the app connect to your server, though this gets you into server downtime issues and so forth and so on. Some devs are willing to put up with this, others aren't.
Now for the purchase part, there are many many options. Paypal is far and away the easiest. You may or may not like their rate plans, but it's an absolute cinch to get up and running with Paypal.
For that you want a Premier or Business account, not a Personal account. Note: in the Paypal docs it sometimes says you need a Paypal Business account. Whenever they say that, they actually mean, "a Paypal Business or Premier account".
Now get yourself a product website and customize your Buy Now buttons etc. When the user makes a purchase, your website will receive a ping from Paypal IPN, which is their notification service. This ping is just a call to a defined HTTP endpoint on your website, and it contains all the information you'll want about the purchase. Mainly, the user's email...
(Okay, I feel like I should mention: Paypal along with most other legit processors have a "sandbox" where you can test all this out before going live. Does wonders towards giving you the warm fuzzy about actually going live, with money on the line.)
Which you'll use to auto-send the user an Activation Code after purchase, so they don't have to wait 24 hours for you to manually send them a code. Store this activation code (which under this scenario can be any unique, difficult-to-guess number, such as a GUID, prettified or not) in the DB with a usage count which you'll track to detect duplicate codes.
The user enters the Activation Code into the software, via a screen you provide.
The software contacts the server over https (this is a one-time thing that happens only when the software is unlocked), and says, "hey, is this license code the user just gave me valid?"
If the supplied activation code matches the code stored in the database at the time of sale, and that activation code hasn't yet been confirmed, then Success!
The server then needs to build the license file, which is an extremely simple XML or text file containing "what this copy of the software is allowed to do". There's no standard for what it should contain, only a few conventions.
The server signs the license file with the application's private key and returns it as a data stream to your application...
Which saves it as a .LIC or .LICX (or whatever extension you want) file, which it then checks on load time as per Step 3.
This has worked really well for me, and it's a cinch to implement. The key to the whole thing is simply: trust those XML DSigs. When the LIC file is missing, you default to trial mode. When the sig is modified, you switch to trial mode. Only when the LIC file is present, validly signed, and contains the right information, do you then (in code) open up access to "full" functionality.
Also, interperse more than one license-check point in your code. I do one at app startup, another at idle, and another just before entering key functional areas. So if someone does reverse the code, and they can, they'll at least have to do a bit of searching to gut all the license checks. Of course, nothing you can do can prevent people from patching their way around those checks. You just want to make it a bit more difficult.
如果你想正确地做到这一点,我真诚地建议你购买一个值得信赖的第三方解决方案来解决这两件事。有几个适用于 .Net 的许可包(我们使用 Desaware 作为我们的产品,尽管我没有直接使用过它们,所以我无法给出详细的建议,对于我所接触过的东西来说,这似乎很简单)。没有大惊小怪,没有错误,从长远来看,节省时间的回报是巨大的。
第三方支付服务可以为您处理在线信用卡交易,还有 PayPal。谷歌搜索“如何在网络上接受信用卡付款”,您会找到无数的商家解决方案提供商。
如果您愿意花时间自己构建许可系统,这个 StackOverflow 线程 在需要考虑的各个方面都是一个非常好的资源。
If you want to do it correctly, I would honestly have to recommend buying a trusted third party solution for both of these things. There are several licensing packages out there for .Net (we use Desaware for our products, although I haven't directly worked with them that much so I couldn't give a detailed recommendation. It seems simple enough for what I've been exposed to). No fuss, no bugs, and the payoff in the long term is huge in terms of time saved.
Third party payment services can handle online credit card transactions for you, and there's always PayPal as well. Google for "how to accept credit card payments on the web" and you'll come up with endless merchant solution providers.
If you'd rather spend the time to build a licensing system yourself, this StackOverflow thread is a pretty good resource on the various aspects to consider.
您需要对 . NET 应用程序。有数百种选择,从非常便宜的(以及有关如何推出自己的文章)到非常强大的商业工具。
You'll want to use some form of Software Projection and Licensing for .NET applications. There are hundreds of options out there, from very inexpensive (and articles for how to roll your own) to very robust commercial tools.
您可以考虑CryptoLicensing For .Net - 它提供了完整版和试用版的选项(使用天数、唯一使用天数、执行情况等)。它还配备了即用型许可证服务器以及用于 paypal、shareit、plimus 等的电子商务集成商。
You can consider CryptoLicensing For .Net - it provides options for full as well as trial (usage days, unique usage days, executions, etc). It also comes with ready-to-use license server with e-commerce integrators for paypal, shareit, plimus, etc.