@rauchwer is the real expert on this, but I’ll try to answer:
a) I need to sign up with FastSpring if I’m submitting paid plugins because that’s how money from any sales is sent, regardless of how I secure the plugin?
Correct!
And then I have a choice between:
b) I rely on the security built into Marketplace, supplemented as I see fit with code obfuscation, internal consistency checks etc, and completely ignore the FastSpring codes; or
This is correct, with the tiny detail of the word “ignore”. FastSpring won’t generate any codes unless you request them, as is my understanding. Instead of “ignore” I might say “not bother with”.
c) I do whatever is required using FastSpring’s APIs to send their codes to customers and then to allow them to enter the code into the plugin and validate it (probably in conjunction with code obfuscation and consistency checks)
Correct.