问题描述
有关钟爱的项目,我开发这需要从几个不同的Web服务API密钥的桌面应用程序。
For a pet project, I develop a desktop application which requires API keys from several different webservices.
我已经经历和preparing这个应用程序成为开放源代码并在如何处理这些键做的问题上运行。
I've been going through and preparing this application to become open-sourced and run across the problem of what to do with those keys.
问题是这样的:我的理解是,这些API密钥不应该是使用应用程序或查看/修改源$ C $ C任何人可见。从WebService的结束,这些API密钥用于识别访问他们的API的应用程序,并允许/块使用为宜。在大多数TOS的,用于接收这些密钥它实际上明确指出键不能与世界分享。
The problem is this: My understanding is that these API keys should not be visible to anyone using the application or viewing/modifying the source code. From the webservice's end, these API keys are used to identify applications accessing their API, and allow/block usage as appropriate. In most of the TOS's for receiving these keys it's actually explicitly stated that the keys must not be shared with the world.
目前我所有的键是硬codeD,但我陷入了僵局,以如何处理私钥的情况,一个开源的应用程序:
Currently all my keys are hard-coded, but at I'm at an impasse as to how to handle the situation of private keys in an open-source application:
- 如果按键保持硬codeD,他们将公开可见的,只要我的源$ C $ c为。
-If the keys remain hardcoded, they'll be publicly visible as soon as my source code is.
- 我真的不能忽略从code分发密钥的源文件,从此以后
它不会编译。这在技术上解决该问题,但引入了一个新的,不可接受
之一。
-I can't really omit the source file with the keys from the code distribution, since thenit won't compile. This technically solves the problem, but introduces a new, unacceptableone.
- 如果我把钥匙开了个的.ini或其他配置文件,根本不包含该文件
在我的公开code库,它仍然必须与我的应用程序,以使应用功能二进制分发,所以我的钥匙将在应用程序分发,而不是源代码分发可见。未改进。任何加密体操我试图利用这个INI文件会增加复杂性,任何人试图修改我的code。
-If I push the keys off to a .ini or other config file, and simply not include that filein my public code repository, it would still have to be distributed with the binary of my application in order for the app to function, so my keys would be visible in the application distribution instead of the source distribution. Not an improvement. Any encryption gymnastics I attempted to utilize on this INI file would be adding the complexity for anyone attempting to modify my code.
所以,关于我的codeBase的(目前正在水银进行版本控制),什么是管理一切,使得code可以是公有的最佳方式,但我的钥匙留民营?
So, with regards to my codebase (currently under Mercurial for version control), what's the best way to manage everything so that the code can be public, but my keys stay private?
推荐答案
不知道你用的是什么语言,但例如在C / C ++你添加一个包含文件的API密钥,然后离开它从源头控制,而不是添加一个虚假的文件,的明确假的API密钥。大多数语言都有一个或其他方式,包括文件。
Don't know what language you are using, but for example in C/C++ you'd add a include file with the API keys, and then leave it out of source control, instead add a bogus file with explicitly fake API keys. Most languages have one or the other way to include files.
这篇关于如何开源,使用API密钥的应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!