MaScriptRunner

Generating and validating license keys is a common requirement for commercial desktop applications. This article shows a state of the art implementation in 2021. It is simple and cryptographically secure.

Scope

When you browse StackOverflow for licensing implementations, you frequently read the following warning:

MaScriptRunner: gestion d'AppleScripts, 2,5 $ 18,99 $ Mathkey: conversion LaTeX et MathML, 2 $ 5,99 $ Mellel: traitement de texte, 3 $ 49 $ MKV2MP4: conversion de MKV vers MP4, 1 $ 6,99 $ Multitouch: lancement d'actions en fonction de gestes sur la souris ou le trackpad, 1,5 $ 9,99 $. Get maFileRenamer App, maWatermarker App, maPhotoResizer App and maScriptRunner App Lifetime Subscriptions starting from $4.99 one-time-fee. GET DEAL Sizle Pro Lifetime Deal. MaScriptRunner is for every one who has multiple AppleScripts to run continuously. It can create a heartbeat file, which makes professional system monitoring easy. With the auto relaunch function, maScriptRunner becomes an extremely solid tool to run 24 hours a day, 7 days a week. Version 2.0.0: Compatible with the latest macOS Catalina.

MaScriptRunner Applescripts automation Run your Applescripts 24 hours a day, 7 days a week, continuously. Complete Tech Skills Library – Cert, Office, ITPro, Developer & CompTIA: Unlimited Lifetime Access for $49.

No license scheme is 100% secure.

It is true. So, given that our task is ultimately impossible, we don't want to think about it for too long. At the same time, we want something that is reasonably safe.

This article is about registration codes that work offline. No phoning home to a license server. Even if you use a server, you likely don't want your app to stop working just because your user doesn't have internet for a brief while. To achieve this, you will need an offline way of validating licenses.

Cracks vs. keygens

There are several ways in which people can work around the copy protection in your software. The most common are cracks. These usually patch your application's executable, to trick it into believing that there is a valid license. Every desktop application can be fooled in this way. Fortunately, cracks usually only work for specific versions of an app (eg. 5.1.2 but not 5.1.3).

The worst case for software vendors are key generators. They can be used to create arbitrarily many valid serial numbers. If a keygen exists for your app, then your licensing algorithm is compromised beyond repair.

Partial key verification

To prevent keygens from working for all versions of your software, a commonly used technique is partial key verification. Under this scheme, you only use some bits to check the validity of a license key. For example, the first version of your app might only check the first character in each group of a product key:

If someone publishes a keygen for your app, then you can release a new version that checks the second character (say) for a different requirement:

This limits the potential damage of a single key generator. But it doesn't prevent other keygens from appearing for your new app version.

Key length

Historically, license keys had to be entered manually. For instance, when you bought Windows XP, you received a CD-ROM and a printed product key that you had to type in upon installation:

Scriptrunner

To make this workable, license keys had to be short and consist of simple characters such as A - Z and 0 - 9. Better chat for whatsapp.

Nowadays, hardly anyone types in license keys by hand. When a user purchases your software, you send them an email. They either download the license key, or copy/paste it into your application. Because of this, the length of license keys has little practical relevance today.

Older articles about license verification spend a lot of brainpower on 1) encoding information in the limited-length license key, such as a maximum app version, and 2) on partial key verification. If we drop the requirement that license keys be easy to type, we can get a simpler and more secure solution.

A modern approach

At the end of the day, a license check boils down to code like the following:

Scriptrunner

Note that this even applies to more exotic solutions. For example, say your app's binary is encrypted and only valid license keys can 'decrypt' it somehow. Then license_key_is_valid() amounts to asking 'can this key be used to decrypt the binary?'.

MaScriptRunner

We thus need to choose an implementation for license_key_is_valid(). Fortunately, modern cryptography gives us just the right tool for this: We can use RSA signature verification to sign the licensing data with a private key, then verify the signature with an associated public key.

Scriptrunner For Bitbucket

Below is an example in Python that uses the rsa library. Because RSA is so ubiquitous, you should be able to easily port this to another language if required.

First, create an RSA key pair on your development machine. We use 512 bits here because it leads to shorter signatures. In practice, you probably want 2048 bits or more.

Scriptrunner for bitbucket

When a user purchases, generate a license key:

This prints the following:

Send this to your user. Then, in your application, check the validity of the license key as follows:

Scriptrunner for jira

Once execution reaches the last line, you can trust that data was not tampered with. This lets you include information relevant to licensing in the data, such as a maximum app version to which your user is entitled.

The above code works as-is when you type it into one interactive Python interpreter session. In practice, you will have to ship the public key with your app and decide where the user will put the license key. These are just details however. The important parts of the implementation are all here.

Caveats & Summary

Assuming you use a large enough bit size, the above implementation should be safe from key generators. It is not immune to cracking however – as mentioned above, no desktop app is. If you want to make your app even more secure, you could look at obfuscation. This makes reverse-engineering and thus circumventing your copy protection more difficult.

Michael is the creator of fman, a cross-platform file manager. Frustrated with how difficult it was to create this desktop application, Michael open sourced fman's build system (fbs). It saves you months when creating desktop apps with Python and Qt. A few days of these months come from using fbs's well-integrated licensing implementation.