2

I'm creating a license that allows a user to use a Python program for a specific period of time. The program uses datetime.today() to check the current date and then compares it to the expiration date encrypted in the license. If the current date is past the expiration date, it fails to run.

My concern is, what if someone manipulates his PC's time to make the program think the license is still valid? Does Python datetime library use PC's time? If not, what's the source for it?

Thanks in advance!

currentlyunknown
  • 159
  • 1
  • 8
  • 2
    You could use ntp: https://stackoverflow.com/questions/12664295/ntp-client-in-python – Maurice Meyer Jun 04 '20 at 20:48
  • 1
    If your code is able to decrypt the license locally, what's to stop the user from modifying it with a new date? I don't think what you want to do *can* work. Programs typically either unlock themselves once and permanently, or require a new token on demand every time they execute. – chepner Jun 04 '20 at 20:59
  • Depending on how your program works, you might be able to use internal consistency to estimate the passage of time. E.g. if a ToDo-app may check that no events have passed past the license expiration date. While a user can still modify the system clock, they would also make the app functionally unusable that way. – MisterMiyagi Jun 04 '20 at 21:04
  • Does this answer your question? [How datetime.datetime.now() works without internet connection?](https://stackoverflow.com/questions/45831987/how-datetime-datetime-now-works-without-internet-connection) – Georgy Jun 04 '20 at 21:05
  • @chepner the user won't be able to see the source code, just execute it – currentlyunknown Jun 04 '20 at 21:11
  • You don't need the source to extract the relevant bits of binary. If your program can do it, assume your user can as well. – chepner Jun 04 '20 at 21:56
  • Classic [XY problem](https://meta.stackexchange.com/questions/66377/); you need to implement a license service as @Aziz suggests. Having the user's machine authenticate the user never works. – Dour High Arch Jun 06 '20 at 17:33

2 Answers2

3

datetime.today() uses system date/time. So yes, a user can change the system time to trick the program.

You can use a library like ntplib to get the time from a remote server, but of course this requires a network connection. So you may want to decide how to deal with a situation when your program doesn't have network access: maybe you only ping the server every week or so and require that the application be connected to the internet at least once per week.

A better solution would be to give your user a product key they need to enter into the application. The application will check this product key against your own server on start-up (or at specified intervals) and only continue if the key is valid. This way, you can control user access at all times since you can easily change product-key privileges at any point.

Aziz Sonawalla
  • 2,482
  • 1
  • 5
  • 6
  • `ntp` would be overkill. Just connect directly to your own server which broadcasts an encrypted date and time. If `datetime` is off by more than an hour, permanently disable the program. – Mark Ransom Jun 04 '20 at 20:57
  • if you have your own server you can ping, that's just one step away from setting up a 'product-key' system - much better than using an expiry time. – Aziz Sonawalla Jun 04 '20 at 20:59
  • A server that only returns the time can be simpler and faster than one that checks license keys. No database access required. – Mark Ransom Jun 04 '20 at 21:02
  • Yes, the time-only solution will be simpler and I will use it for now. However, in a bigger scale, product-key solution seems more reasonable. @AzizSonawalla if you could give some more details on how to set something like that up, I'd be more than grateful. – currentlyunknown Jun 10 '20 at 11:44
0

The datetime class in python uses the configured time of the operating system.

G Scott Walters
  • 33
  • 4