I am doing an activation server which will enable users to activate their software. The problem is that they own the public key.. the verification method needs the public key to check signature of the license file. My concern is that someone could generate their own license file using two key (public and private) and then change the public key on the client which would spoof his current license.
Is there any way of avoiding this ? Where should the public key be stored ? You have to take into consideration that the checkup is done on client and the signature is created on server.
Thanks.
Don't use a licensing file. Each time the application is started, have it connect to a licensing server to validate it.