Personally I’d stay away from PACE, especially for small plugins. Without going into too much detail, but i had to go to quite a lot of trouble in the past.
The effort you’ll need to put into your licensing system mainly depens on how honest you think your customers are, and how much you want to bother them about it.
There will always be some cracks out there, so me personally wouldn’d spent too much time designing a clever scheme.
If you need offline support but don’t want to design your own licensing server, something along these lines should probably work fine:
- Generate a RSA-Key-pair, compile the public key into the plugin, keep the private one for yourself
- Let the plugin generate a machine-id (see juce docs)
- Let the user send you the id string
- Encrypt the id string using the private RSA key, send the encrypted string back to the user
- Let the plugin verify that when applying the public RSA key to the string you sent back the same machine id is obtained
If the strings match, than this means that you personally approved that this device is allowed to use your plugin. It also means that every device must be approved by you, and there isn’t any token or license key that could be copied to another device. Since the plugin can save the encrypted id on disk, it doesn’t need internet connection to re-check whether it is licensed.
Possible attack vectors are that plugin binary is modified to simply skip this check (which is a very high bar), or maybe some methods to spoof the machine id.