How to best enforce offline license key and prevent user from changing their machine time?

I have a piece of software which I would like to lock down using a license key. This key contains the expiration date in unix timestamp format. To check if the license in valid in the software, I compare the current unix timestamp to the expiration date in the license key. Here's the tricky bit: I want to be able to allow the user to run the software offline without making a request to a server to validate the license (in essence, the user shouldn't require an external network connection to run the software).

Are there any strategies which can be used to prevent the user from simply changing the clock on their machine which essentially bypasses the license expiration?

I work for a company that provides two solutions for the problem of node locking a license to a device when that device does not have an internet connection.

I'd also start by saying that there's actually two parts to your question: How do you perform a license activation on a computer that does not have internet access, and how do you perform the license checks on the local machine, once you bound the license to that device.

If you don't node lock the license to the device, then anyone with the key you generated can just use it on an unlimited number of machines. For this you still need a way to communicate a device identifier back to the license server, even if it's not done through a direct internet connection.

Our first solution tackling offline node-locking does basically the same thing that our online activation does, except it's through a series of request / license files being exchanged between the client machine and the license server instead of Server-to-server interactions. The gist of it is as follows:

1. cyrusbehrVendor issues a license key for cyrusbehrApp and gives it to the end user.
2. End user enters it into the app, which generates a request file containing information on the device, and the key which is being used to activate the app (the file is / should be encrypted). The file is actually generated by the SDK that we supplied to cyrusbehrVendor, who imported it into their project and is shipped with the app. The end user takes this request file and uploads it to the License Server using our offline licensing portal.
3. The Offline licensing portal returns a license file that contains all the license information associated with that key, and can only be used by the device that requested it. The End user inputs this license file back into the app, which gets parsed by the SDK, which is used to configure the state of the application (according to the entitlements granted by the license). The SDK will also create a local license file to check against each time the app is run, for example.

Most Software developers might find this a "good enough" solution to offline licensing that isn't toooooo inconvenient for the end-user. However, if your requirement also does not allow for files to be exchanged, or files cannot leave the target machine, we also provide an air-gapped solution to unlock license policies shipped with your app. We designed our air-gapped license activation in the following way:

• You ship your app with our SDK along with license policy files.
• You issue license keys for your app that can be used to unlock a specific license policy.
• through a series of code exchanges (rather than file exchanges), a license gets bound to a device, and allows a specific license policy to be used.

Concerning your question about local license checks and having some sort of anti-clock tampering mechanism, you can do the following:

Read and Store a time stamp of the system clock on the last license check. If a subsequent license check has a timestamp that occurs prior to that time, then you know there's something going on with the clock being changed. You can either disable the license, or just throw an exception and don't let the app run until a license check with a timestamp in the future. Also, be sure to use UTC, since timezone changes can and do happen.