Mac App Store 收据验证码? [英] Mac App Store Receipt Validation Code?
问题描述
想知道是否有人有新 Mac App Store 收据验证的教程或工作代码?到目前为止,我能找到的唯一参考资料是 Apple 关于该主题的一流文档和一个开源项目,该项目可以编译但没有大量内联注释,因此除非您是加密专家,否则很难理解.
Wondering if anyone has a tutorial or working code for the new Mac App Store's receipt validation? About the only references I've been able to find so far are Apple's stellar documentation on the topic and one open source project which compiles but doesn't have a lot of inline comments so it's hard to understand unless you are a crypto whiz.
仅限注册开发者的 Apple 文档:
Apple docs for registered devs only:
https://developer.apple.com/devcenter/mac/documents/validating.html
Roddi 的 ValidateStoreReceipt(看起来很有希望,但文档很少):
Roddi's ValidateStoreReceipt (looks promising, but sparsely documented):
https://github.com/roddi/ValidateStoreReceipt
还想知道为什么 Apple 不只提供用于验证的工作代码?
Also wondering why Apple does not just provide working code for validation?
还有其他好的参考资料吗?
Any other good references out there?
推荐答案
Mac App Store 收据验证很难提供通用的解决方案,主要是因为这是一段非常敏感的代码,必须很难绕过(参见. Apple 文档).
It is hard to provide a generic solution for Mac App Store receipt validation, mainly because this is a very sensitive piece of code that must be hard to bypass (cf. Apple documentation).
这些 GitHub 项目是了解收据验证中必须执行哪些步骤的非常好的起点:
These GitHub projects are very good starting points to learn about what steps must be performed in receipt validation:
一旦您了解了必须做什么,这里有一些建议:
Once you have understood what must be done, here is some advice:
- 不要使用 Objective-C 类或方法.Objective-C 携带大量元数据,其动态特性将其暴露给运行时注入.
- 仅使用 C 函数调用.即使您需要使用 CoreFoundation 框架编写更多代码行,您也可以完美地完成 Foundation 框架所能完成的工作(NSString、NSArray、NSDictionary 等).
- 请勿与 OpenSSL 库动态链接,因为它已在 Mac OS X Lion 中弃用.如果您想使用 OpenSSL,请将其静态链接以确保获得最新版本.
- 使用系统函数进行加密.Mac OS X 从 10.5 开始就提供了等效的功能.例如,要计算 SHA-1 哈希,您可以使用 CC_SHA1 函数.
- 不要在代码中以明文形式放置字符串.对它们进行编码或加密.如果你没有这样做,你会提示你的代码的位置.
- 不要在代码中使用数字常量.在运行时计算它们,使用一些简单的操作(+、-、/或 *).同样,如果你没有这样做,你会提示你的代码的位置.
- 通过嵌入测试和对 NSApplicationMain 进入一个复杂的循环.
- 避免直接调用 NSApplicationMain.使用函数指针隐藏调用.如果你没有这样做,你会提示你的代码的位置.
- 对于您的应用程序的每个版本,稍微修改验证代码,使其永远不会相同.
- Don't use Objective-C classes or methods. Objective-C carries a lot of metadata, and its dynamic nature exposes it to runtime injection.
- Only use C function calls. Even if you need more lines of code with the CoreFoundation framework, you can perfectly do what the Foundation framework can do (NSString, NSArray, NSDictionary, ...).
- Don't link dynamically with the OpenSSL library as it has been deprecated in Mac OS X Lion. If you want to go with OpenSSL, link it statically to be sure to have the latest release.
- Use system functions for cryptography. Mac OS X ships with equivalent functions since 10.5. For example, to compute a SHA-1 hash, you can use the CC_SHA1 function.
- Don't put strings in plaintext in your code. Encode them or encrypt them. If you fail to do so, you give a hint about the location of your code.
- Don't use numeric constants in your code. Compute them at runtime, with some simple operations (+, -, / or *). Again, if you fail to do so, you give a hint about the location of your code.
- Avoid simple tests for validation by embedding your tests and the call to NSApplicationMain into a complex loop.
- Avoid calling NSApplicationMain directly. Use a function pointer to hide the invocation. If you fail to do so, you give a hint about the location of your code.
- For each release of your application, slightly modify the validation code so it is never the same.
请记住,收据验证是必要的,并不像看起来那么简单.它可能会消耗大量时间,您最好将其花在应用程序上.
Remember that receipt validation is necessary and is not simple as it seems. It can consume a lot of time that you may better spend on your application.
所以我建议你看看这个应用程序:Receigen(免责声明:我是此应用程序的开发者).
So I suggest you to take a look at this application: Receigen (Disclaimer: I am the developer of this application).
这篇关于Mac App Store 收据验证码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
