I was wondering about the options I have in golang to protect the binary.
I have an experimental service which I want to limit the usage per
registration and to limit period of time that it is being used.
I would also want to limit the distribution of the software from machine
to machine and even VM’s.
I know it’s a complex issue and I do not have any experience with it.
What I am looking for is either library that does that already or
references to ideas and other implementations.
I had in mind that I will might need some special code or special online
API for some of the actions.
Basically the service should be able to access the Internet ALL the time
so I was thinking about fetching some of the runtime from the Internet
but I do not know how it will be possible with Golang.
There isn’t any prebuilt solution for it that I know. All binaries are static, so no part of the runtime can be dynamically fetched.
The best solution depends on your usage scenario. However, for many people just disassembling the binary is much more effort than they are willing to go through.
You could do personalized builds, so each user gets a unique binary with a user ID you can use to verify against a server. With the Go compiler being so fast it is easy to generate a unique executable per user. Adding it along with other data to a download on the fly is perfectly viable.
You can either simply generate a .go file with the unique content, or insert it with build flags:
go build -ldflags "-X main.userid abcdefg" myapp.go
You can add encrypted content and retrieve the key from the server, you can add date checks, etc.
Basically the more “protection” you want, the more time can spend on it. However, nothing is of course unbreakable. Network traffic can be monitored, but you can make it very hard to crack.