I´m kind of new in this so I apologize in advance for any noob mistakes (feel free to point it out)
We are developing a licensing mechanism on our software, and I would like some advice.
The software is installed on premises on the client, good old .Net application. We are planning on using the Portable.Licensing framework, basically, it provides an easy way to generate signed license files, the license file contain all the info the software needs to enable and disable usage and features. To do that, we must generate and use a pair of private/public keys.
As you all may know, we use the private key (and password) to sign the file and the public key to validate the file in the software. A web server would be responsible for creating and delivering these license files to the clients.
So, on my web server we need to have our private key and password. That´s ok and under control.
The question is the public key management, how can I store and secure it on my software in order to guarantee that it will not be replaced?
I am aware that if I put it on the compiled assembly, even if I sign my assembly as well, there is a possibility to crack it. We can always make it more difficult by obfuscating the assembly, but I don´t know if that´s enough.
How would you guys approach this scenario, what´s the best practice? Any input is much appreciated.
Thanks.
