Well, we more or less checksum the whole application, because people tend to patch the code to bypass the whole authorization code. Ok, this is not 100% safe either but works for us at the moment.
I don't mean "how do you keep the public key secret". I mean, how do you keep the user from changing the public key for one from their own generated keypair, thereby allowing them to sign whatever they like and bypass your security. We've been thinking of various obfuscation techniques to keep the public key hidden but I'm wondering if there's some better way we haven't figured out.
Ruotger Skupin
