如何开源使用 API 密钥的应用程序 [英] How to open-source an application that uses API keys
问题描述
对于一个宠物项目,我开发了一个桌面应用程序,它需要来自多个不同网络服务的 API 密钥.
For a pet project, I develop a desktop application which requires API keys from several different webservices.
我一直在研究和准备这个应用程序成为开源,并遇到了如何处理这些密钥的问题.
I've been going through and preparing this application to become open-sourced and run across the problem of what to do with those keys.
问题是这样的:我的理解是,使用应用程序或查看/修改源代码的任何人都不应该看到这些 API 密钥.从 Web 服务的一端开始,这些 API 密钥用于识别访问其 API 的应用程序,并在适当时允许/阻止使用.在大多数用于接收这些密钥的 TOS 中,实际上明确声明这些密钥不得与全世界共享.
The problem is this: My understanding is that these API keys should not be visible to anyone using the application or viewing/modifying the source code. From the webservice's end, these API keys are used to identify applications accessing their API, and allow/block usage as appropriate. In most of the TOS's for receiving these keys it's actually explicitly stated that the keys must not be shared with the world.
目前我所有的密钥都是硬编码的,但我在如何处理开源应用程序中的私钥情况方面陷入僵局:
Currently all my keys are hard-coded, but at I'm at an impasse as to how to handle the situation of private keys in an open-source application:
-如果密钥保持硬编码,它们将在我的源代码发布后立即公开可见.
-If the keys remain hardcoded, they'll be publicly visible as soon as my source code is.
-我真的不能从代码分发中省略带有密钥的源文件,从那时起它不会编译.这在技术上解决了问题,但引入了一个新的、不可接受的一个.
-I can't really omit the source file with the keys from the code distribution, since then it won't compile. This technically solves the problem, but introduces a new, unacceptable one.
-如果我将密钥推送到 .ini 或其他配置文件,并且根本不包含该文件在我的公共代码存储库中,它仍然必须与我的应用程序的二进制文件一起分发才能使应用程序运行,因此我的密钥将在应用程序分发而不是源代码分发中可见.不是改进.我试图在这个 INI 文件上使用的任何加密体操都会增加任何试图修改我的代码的人的复杂性.
-If I push the keys off to a .ini or other config file, and simply not include that file in my public code repository, it would still have to be distributed with the binary of my application in order for the app to function, so my keys would be visible in the application distribution instead of the source distribution. Not an improvement. Any encryption gymnastics I attempted to utilize on this INI file would be adding the complexity for anyone attempting to modify my code.
那么,关于我的代码库(目前在 Mercurial 下进行版本控制),管理所有内容以便代码可以公开但我的密钥保持私密的最佳方法是什么?
So, with regards to my codebase (currently under Mercurial for version control), what's the best way to manage everything so that the code can be public, but my keys stay private?
推荐答案
不知道您使用的是什么语言,但例如在 C/C++ 中,您会添加一个包含 API 密钥的包含文件,然后将其保留在源代码控制之外,添加一个带有显式伪造 API 密钥的伪造文件.大多数语言都有一种或另一种方式来包含文件.
Don't know what language you are using, but for example in C/C++ you'd add a include file with the API keys, and then leave it out of source control, instead add a bogus file with explicitly fake API keys. Most languages have one or the other way to include files.
这篇关于如何开源使用 API 密钥的应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
