Security model
What this protects against
| Threat | Defense | Effectiveness |
|---|---|---|
| Tampered installer (MITM) | Signed installer + SHA-256 on releases page | High |
| Stolen license key | Hardware-bound device IDs, 2-device cap, revoke from /account | High |
| Replay of license activation | Signed nonce + timestamp on each activation | High |
| Malicious update served from our CDN | Updates signed with offline Ed25519 key, verified before apply | High |
| Credential stuffing on /account | Email magic-link only, no passwords stored | High |
| License server compromise | License validation is offline-verifiable via published public key | Medium |
| Local key extraction | Key stored in DPAPI-encrypted blob, scoped to current user | Medium |
| Supply-chain (dependency) | Pinned lockfile, reproducible builds, SBOM published per release | Medium |
What it does NOT protect against
- A compromised Windows account — if an attacker has your user session, they have your license blob.
- Physical access to an unlocked machine.
- Sharing your license key in public — anyone with the key and your email can activate up to your device cap.
- Anti-cheat policy changes in games other than Rocket League.
Layered defense
- Code-signed installer (EV cert) — Windows SmartScreen passes immediately.
- ViGEmBus is Microsoft WHQL-signed; we never ship our own kernel driver.
- User-mode process only; no service, no scheduled task, no auto-start daemon.
- License validated offline after first activation using an Ed25519 public key bundled with the app.
- License server stores only email, license key, and hashed device IDs — no input data, no telemetry.
- All license API traffic over TLS 1.3 with certificate pinning.
- Updates: opt-in only, verified against an offline-held signing key before write.
- Local config encrypted at rest via Windows DPAPI (current-user scope).
- No remote code execution path — we do not download and run scripts.
- Audit script ships in the app to prove 1:1 input passthrough at 1000 Hz.
- SBOM and reproducible build hashes published with every release.
Operational must-dos
- Download only from https://releases.rlhub.app.
- Verify the SHA-256 published next to each release before running.
- Treat your license key like a password — do not paste it in Discord or stream overlays.
- Revoke unknown devices from /account immediately.
# Verify the installer
> certutil -hashfile RLHub-1.0.0.exe SHA256
SHA256 hash of RLHub-1.0.0.exe:
a3f1c4... # must match the value on the releases page