If you do not require online validation the program itself needs to validate the key and any decent hacker can extract whatever counts as the private key from the executable.
The private key can't be extracted from the executable, because it's not stored there.
The developer signs a message with the private key which they keep secure and don't distribute. The application which contains the public key can then verify that the message is signed by the developer.