TracktionMarketplace privateKey / Key questions


#1

Hi,

I like to use the TracktionMarketplace modul for an own shop. I use the KeyGeneration class in a small binary on my server and invoke it from php. Works so far, but how to generate the private key which KeyGeneration::generateKeyFile() needs?

Is it correct that OnlineUnlockStatus::getPublicKey() have to return a static RSA key which I generate once for each app?

Thanks


#2

That's right. You can generate the key with something like the juce demo's SSH demo page, or write your own code to call the RSA methods to generate one.


#3

Thanks, I'll study it!

And the private key is also generated once per app or for each user?


#4

Once per app.

(Public and private keys always travel in pairs)


#5

Thanks, I believe I should read that RSA stuff again. ;-)

Cheers


#6

Is it a bad idea to add the private key hard coded to the KeyGeneration app on the server?


#7

...well, the key generator encrypts an information, which is used to unlock your app.

The server needs a part of the key to encrypt, and the app/plugin needs the second part of the pair to decrypt and verify. As long as the generation app acts automatically, it needs the key. You may still try to obfuscate it as much as you can, but there is no chance to store it in a way that it can't be used by someone who has access to your server.

So make your server as secure as you can. (This is the bad part when you run only a virtual server in a hoster company, you have to trust them...)