我将如何许可WPF Windows应用程序
我已经开发了一个小应用程序,我想尝试并出售它,但是我不知道如何最好地做到这一点.
I have developed a small application that I would like to try and sell but I am unfamiliar with how best to go about this.
-
我将如何锁定该程序以进行试用1.
How would I go about locking the program down for trial use1.
我该如何处理收款?
考虑到我是一个没有很多钱的单身乐队,所以我希望找到一种免费或低成本,有效,安全且易于实施和维护的解决方案.我没有很多经验,因为我通常是为公共部门开发的,他们从整体上购买解决方案,而我们从未获得过许可.
Bearing in mind that I am a one man band with not a lot of money, I was hoping for a solution that would be free or a low cost, effective, secure and simple to implement and maintain. This is not something that I have a lot of experience with as I have typically developed for the public sector where they buy a solution as a whole and we have never licensed it.
任何帮助将不胜感激. 谢谢,
Any help would really be appreciated. Thanks,
B
我可以告诉你我该怎么做.免责声明:您的里程可能会有所不同.这是为了防止简单的WinForms或WPF或其他桌面应用程序的随意盗版.它不是特别健壮或不能抵抗复杂的破解,但是在防止偶然的盗版方面做得很好.
I can tell you how I do it. Disclaimer: your mileage may vary. This is for the case of preventing casual piracy of a simple WinForms or WPF or other desktop app. It's not particularly robust or secure against sophisticated cracking, but it does a great job of preventing casual piracy.
-
对于许可,我尝试了几种第三方解决方案.在防止偶然盗版的名义情况下,它们都很容易使用,当然,如果您真正要担心的只是唯一的盗版.
For licensing, I tried several 3rd party solutions. They're all fairly easy to use for the nominal case of preventing casual piracy, which of course if the only piracy you should really be concerned about.
我发现,没有一个许可提供者与现有的付款处理器/网关真正兼容.有一些多合一"解决方案,但是那里的技术债务水平对于我(自由职业者和唯一的开发人员)来说是不可接受的.我一直在寻找一种简单的方法,从网站上的立即购买"链接到购买后解锁台式机软件.为此,一些现有的多合一"解决方案已经过时,有些则完全忽略了购买"方面.
What I found was that none of the licensing providers were really compatible with the existing payment processors / gateways. There are a few "all-in-one" solutions but the level of technical debt there was unacceptable to me (a freelancer and sole developer). I was looking for a simple way to go from a "Buy Now" link on a website to unlocking the desktop software after purchase. Some of the existing "all-in-one" solutions are overkill for this purpose, some ignore the "purchase" aspect entirely.
我最终使用了 Xml数字签名进行签名带有应用程序私钥的许可证文件,该文件永远不会分发给用户.结果:目标计算机上有一个.LIC或.LICX文件,用户可以读取(纯文本格式,但带信封的签名除外),但不能修改. (或者,没有您知道,他们就无法修改它.)这个小文件是整个系统的关键.
I ended up using Xml Digital Signatures to sign license files with the application's private key, which is never distributed to users. The result: you have a .LIC or .LICX file on the target machine that users can read (it's plain text, except for the enveloped signature) but not modify. (Or rather, they can't modify it without you knowing they've modified it.) This little file is the key to the whole system.
在应用程序加载时,它会验证XML签名是否有效(使用应用程序的公钥(随应用程序一起分发的 )),如果有效,它将从中读取信息.许可文件,并基于此启用/禁用某些功能.例如,您的许可证文件可能包含产品的到期日期,或几个独特的机器信息(请务必始终小心,以免给合法用户带来不便...您不希望他们重新申请许可证每次更换硬盘驱动器时都需要输入键.)
When the application loads, it verifies that the XML signature is valid (using the application's public key, which is distributed with the app) and if it's valid, it reads the information from the license file, and enables/disables certain features based on that. For example, your license file could contain a product expiration date, or a couple pieces of unique machine info (be careful, always, not to inconvenience your legit users with this...you don't want them to have to reapply for license keys every time they change out a hard drive).
作为一个额外的步骤(并且更具侵入性),您可以使该应用程序连接到服务器,尽管这会导致服务器停机等问题.有些开发人员愿意忍受这一点,而其他开发人员则不愿意.
As an additional (and slightly more invasive) step, you can have the app connect to your server, though this gets you into server downtime issues and so forth and so on. Some devs are willing to put up with this, others aren't.
现在作为购买部分,有很多选择.贝宝是最简单的.您可能喜欢或不喜欢他们的费率计划,但这是使用Paypal并开始运行的绝对捷径.
Now for the purchase part, there are many many options. Paypal is far and away the easiest. You may or may not like their rate plans, but it's an absolute cinch to get up and running with Paypal.
为此,您需要高级或企业帐户,而不是个人帐户.注意:在Paypal文件中,有时会说您需要Paypal商业帐户.无论他们说什么,实际上是指贝宝业务或贵宾帐户".
For that you want a Premier or Business account, not a Personal account. Note: in the Paypal docs it sometimes says you need a Paypal Business account. Whenever they say that, they actually mean, "a Paypal Business or Premier account".
现在获得一个产品网站并自定义您的立即购买"按钮等.当用户进行购买时,您的网站将收到来自 Paypal IPN ,这是他们的通知服务.此ping只是对您网站上已定义的HTTP端点的调用,它包含您想要的有关购买的所有信息.主要是用户的电子邮件...
Now get yourself a product website and customize your Buy Now buttons etc. When the user makes a purchase, your website will receive a ping from Paypal IPN, which is their notification service. This ping is just a call to a defined HTTP endpoint on your website, and it contains all the information you'll want about the purchase. Mainly, the user's email...
(好吧,我想提一提:Paypal与大多数其他合法处理器一起使用的是一个沙盒",您可以在运行之前对其进行测试.这是否使您对实际使用感到迷惑不解?生活,有钱就可以了.)
(Okay, I feel like I should mention: Paypal along with most other legit processors have a "sandbox" where you can test all this out before going live. Does wonders towards giving you the warm fuzzy about actually going live, with money on the line.)
您将在购买后用来自动向用户发送激活码,因此他们不必等待24小时即可手动向他们发送代码.在数据库中存储此激活码(在这种情况下,它可以是任何唯一的,难以猜到的数字,例如是否带有GUID,是否经过美化)以及使用计数,您可以跟踪该使用计数以检测重复的代码.
Which you'll use to auto-send the user an Activation Code after purchase, so they don't have to wait 24 hours for you to manually send them a code. Store this activation code (which under this scenario can be any unique, difficult-to-guess number, such as a GUID, prettified or not) in the DB with a usage count which you'll track to detect duplicate codes.
用户通过您提供的屏幕将激活码输入软件.
The user enters the Activation Code into the software, via a screen you provide.
该软件通过https与服务器联系(这是一次性的情况,仅在软件被解锁时才会发生),并说:嘿,用户刚刚给我的这个许可证代码有效吗?"
The software contacts the server over https (this is a one-time thing that happens only when the software is unlocked), and says, "hey, is this license code the user just gave me valid?"
如果提供的激活码与销售时存储在数据库中的代码匹配,并且尚未确认该激活码,则表示成功!
If the supplied activation code matches the code stored in the database at the time of sale, and that activation code hasn't yet been confirmed, then Success!
然后,服务器需要构建许可证文件,该文件是一个非常简单的XML或文本文件,其中包含允许该软件副本执行的操作".它应包含的内容没有任何标准,只有一些约定.
The server then needs to build the license file, which is an extremely simple XML or text file containing "what this copy of the software is allowed to do". There's no standard for what it should contain, only a few conventions.
服务器使用应用程序的私钥对许可证文件进行签名,并将其作为数据流返回给您的应用程序...
The server signs the license file with the application's private key and returns it as a data stream to your application...
将其另存为.LIC或.LICX(或所需的任何扩展名)文件,然后按照步骤3检查加载时间.
Which saves it as a .LIC or .LICX (or whatever extension you want) file, which it then checks on load time as per Step 3.
这对我来说真的很好,并且实现起来很困难.整个过程的关键很简单:信任那些XML DSig.如果缺少LIC文件,则默认为试用模式.修改信号后,将切换到试用模式.只有当LIC文件存在,经过有效签名并包含正确的信息时,您才(使用代码)才能打开对完整"功能的访问权限.
This has worked really well for me, and it's a cinch to implement. The key to the whole thing is simply: trust those XML DSigs. When the LIC file is missing, you default to trial mode. When the sig is modified, you switch to trial mode. Only when the LIC file is present, validly signed, and contains the right information, do you then (in code) open up access to "full" functionality.
此外,在代码中插入多个许可证检查点.我在应用程序启动时执行一项操作,在空闲时执行另一项操作,然后在进入关键功能区域之前执行另一项操作.因此,如果有人确实撤消了代码,并且可以这样做,那么他们至少必须进行一些搜索以检查所有许可证检查.当然,您无能为力,无法阻止人们围绕这些支票打补丁.您只想使其变得更困难.
Also, interperse more than one license-check point in your code. I do one at app startup, another at idle, and another just before entering key functional areas. So if someone does reverse the code, and they can, they'll at least have to do a bit of searching to gut all the license checks. Of course, nothing you can do can prevent people from patching their way around those checks. You just want to make it a bit more difficult.