Are CA certs of any value in reducing piracy?

[Fender19]

Curious if CA certs can be used as a means to reduce software piracy - assumption being that pirated software is often infused with malware (i.e., it should no longer match the original file).

I have played around with "self-signed" certs but was able to edit the plugin file (.dll) with a hex editor after signing and it still ran without issue. In other words, self-signed cert didn't have any effect.

I already use Pace signing for Pro Tools (AAX plugins) and that does a great job of stopping altered code in Pro Tools. It seems there should be a similar way to do this with VST and AU plugins using CA signing, yes/no? I would like to avoid going full Pace/iLok (which many customer hate) and am willing to sacrifice SOME protection to do that but want to stop piracy best I can otherwise.

Any input appreciated!

[kingozrecords]

The best way to avoid is low prices. 15 dollars is the magic number. 28 is also good. Those two and piracy just doesn't happen. Quite often people have pirated just to test the real thing and never even use them, because frankly they're often not worth the price.

[BertKoor]

Malware != altered. Malware does truely malicious things other than circumventing your protection.

Self-signed certificates can never be checked, since there is no authority to verify with.

Anyone can get a proper certificate and sign the changed code again. It's only good for the most basic forms of tampering.

Low price to avoid it? False. Even freeware gets cracked, just because they can.

[Fender19]

Anyone can get a proper certificate and sign the changed code again.

What if the original cert info was somehow searched for in the code? In other words, different cert, code doesn't work. If using a pre-established .p12 cert could info from that cert be used to key the code? Seems even a self-signed cert might work if this is possible.

[BertKoor]

It can (and will) be circumvented in the changed code. Only low-level enforcement of a underlying platform / OS can help there. So it's not going to happen.

[Fender19]

It can (and will) be circumvented in the changed code. Only low-level enforcement of a underlying platform / OS can help there. So it's not going to happen.

OK, what options are there for active code protection besides something like iLok or some incredibly complicated web-based challenge/response system? I know there are some clever folks here who have their own means. Any input appreciated!

[BertKoor]

Sure, 21 pages of good ideas, especially look at contributions from Urs.
viewtopic.php?f=33&t=472847

Haven't we pointed you to this already?
Apparently yes.

One of the most important aspects is to not care about it anymore. Or at least, not as much...

What do you enjoy most: coding plugins or fighting the pirates? Do you really lose anything with the cracks? Got numbers to prove that?

In short: pick your battle.

[Richard_Synapse]

Malware != altered. Malware does truely malicious things other than circumventing your protection.

Self-signed certificates can never be checked, since there is no authority to verify with.

Anyone can get a proper certificate and sign the changed code again. It's only good for the most basic forms of tampering.

Getting a code certificate is quite complex, and fairly expensive too. Maybe there's stolen certificates out there, dunno. It seems to me that e.g. the requirement to sign AAX plugins makes it at least a lot more tedious for crackers though.

Low price to avoid it? False. Even freeware gets cracked, just because they can.

Yep. There used to be a few groups that didn't crack cheap software (with the idea to support indie devs), unfortunately this is/was entirely useless because others still go ahead and crack whatever they can.

Richard