Package keys

Keep the package (.pkg file) you downloaded from your Roku device and the password. With those two things you can rekey any device in the future when you need to update your channel. You'll probably want to keep the .zip file that went with the .pkg file (if you're not using some kind of version control system) since there's no way to examine the packaged/encrypted code should you need to in the future.

-JT

I do have source control. Is it recommended to store the zip and pkg on git? 

All I did was use the deployment script and it generated the pkg (I guess maybe it downloaded it from the device?). I guess I'll have another developer test on his end to make sure it is working. I'm assuming if I try to publish a package on my channel with the wrong key then it won't work since I already published it once with a different key?

I use git for my source control, but you can use pretty much anything.  You don't really need to keep the zip if you're good about source control, but I still like to keep the zip after each time I publish since I'm not real good about committing things in git at the appropriate times and it's just easier for me to find the zip that went with a release than going through git (I'm far from a git expert).  There's really no need to keep any more than one package since there's no way to "depackage".  Any package can be used to rekey a unit, so you just need to keep one with its password.  I'm sure your deployment script downloaded the pkg from the Roku since I don't believe there's any way to create a pkg without a Roku device.

You can publish with different keys, but it's definitely not recommended and you'll get no error/warning that you're using the "wrong" key.  You'll lose any registry entries your channel has created since they're tied to the key.  You can use the same key for multiple channels and then they can share registry entries.  There's rarely a need for that, but I also don't want to go about creating a new key for every channel I create.  When a user removes a channel (or all channels that used the same key), the registry entries associated with that key are purged from the unit on the next reboot/update.

I suppose technically you don't even need to keep the pkg since you can always download it from the developer site. It downloads with a .zip extension, but it's really a pkg. I just like to keep one around for each one of my projects.

-JT

I think I understand now. When I "deployed" the zip to the roku, the roku gave me back a signed pkg using the password I gave it? And now the roku has a key for signing future ones? 

That's about it except that the key is generated in the first place by running genkey when you Telnet to port 8080.  It's genkey that produces the key and password pair.  Is that handled by your deployment script?  If so, make sure every time your deployment script runs it's not generating a new key (and spitting out a new password).

The Roku unit stores the key somewhere and uses that along with the password to encrypt/sign the package.  You can change the current key by rekeying using the web interface (uploading a package file and providing the appropriate password) or running genkey to produce a new key/password pair. You can develop with any box that's using any key (or none at all). It's only when you create the final package to upload to the developer site that you want to make sure the box is keyed properly.

I have to take something back about trying to upload a package with a different key.  In the past the developer site didn't complain about the key being different from the previous package, but I think it does now.  It's not something I've tried recently.

-JT

Played a bit with it tonight. Seems like the pkg and the password is all I need. We used the pkg and password to rekey a second roku and generated a new pkg with it and it seemed to work.

Thanks for the help.

was the user data (registry) data retained after upgrading with the newly created pkg on a different device??

My channel doesn't have any data, it is fully controlled from a phone app. The only thing that matters is that the app id be the same so the app on the phone can launch it. Is there some other way I can verify the pkg is signed the same way?

U could just try updating the existing app with the newly created pkg, if the Roku site accepts, then it works right? 🙂

If you use a different DevID than your last pkg you published, you will wipe the registry section for your app on every roku that updates and runs the app. This will start the app in a "freshly installed" state. So if you store data in the registry it is imperative to always use the same DevID and password. The pkg can be used with the pkg password to extract the DevID on any roku model. In this way you can "port" your developer stuff over to the new roku and begin development from there.

You won't be assigned a new AppID when you use a different DevID. So you are safe there. You will upset customers if you store things in the registry to let them register, then later they have to do this again because you published with a different DevID. This will cause your bounce rate to inflate as people will become confused why does it have them set it up again. Since you aren't keeping anything here, you should be good to go either way.