Help

Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
muteki
Visitor
‎07-31-2018 03:24 PM

App signing/packaging provides authenticity of the app?

I have question regarding to the purpose of app signing/packaging.  My understanding of app signing is usually to ensure authenticity/integrity of the app..  However, both the docs and the behavior I observed suggests it may only perform encryption/integrity checking but nothing about authenticity. 

Does the app signing/packaging provides authenticity of the app?

https://sdkdocs.roku.com/display/sdkdoc ... y+Overview

"Applications which run on the player must be encrypted and signed using the developer's unique developer specific set of keys generated by the Roku Streaming Player in developer mode. Code signing is done automatically as part of generating a package and ensures the integrity of code. Application packages are also encrypted to ensure confidentiality of the source code."

However, I found out I can sign a different app using a totally different roku box/dev id/password and upload to the same channel and the box will happily install that app.  I am not sure if I understand what does the app signing provide here?  The only way to protect the authenticity of the app is to protect the username/password of the developer account?

I also read somewhere about the registry being wiped out if a different developer ID is used to sign the app.  Does it mean the app signing provide a global key unique to this app to encrypt the app's specific registry?  That sounds very different from app signing to me.
0 Kudos
Reply
5 REPLIES 5
muteki
Visitor
‎08-01-2018 10:44 AM

Re: App signing/packaging provides authenticity of the app?

So far all my testing is done on non-certified channel.  Could there be additional verification during upload on public channel?  Anyone knows?
0 Kudos
Reply
squirreltown
Roku Guru
‎08-01-2018 02:59 PM

Re: App signing/packaging provides authenticity of the app?

What exactly are you concerned about? I can't figure it out.
Kinetics Screensavers
0 Kudos
Reply
muteki
Visitor
‎08-01-2018 03:40 PM

Re: App signing/packaging provides authenticity of the app?

I am trying to setup a signing procedure for our roku app.  And I am trying to understand how much protection I need to put in place for protecting this special roku device + devid/password pair for the signing/packaging process.  (we do app signing for other platforms also)  In our experience, traditional app signing is to ensure authenticity/integrity of the app so protecting the private key for signing is critical.  Now when evaluating the signing/packaging process of roku app, I am puzzled as to what does that provide.  It surely doesn't ensure authenticity of the app (in my test for non-certified channel).  So I wonder am I missing something or I should really spend my resource else where (i.e. protecting username/password of the developer account) rather than this roku/devid/password.
0 Kudos
Reply
squirreltown
Roku Guru
‎08-01-2018 04:48 PM

Re: App signing/packaging provides authenticity of the app?

"muteki" wrote:
So I wonder am I missing something or I should really spend my resource else where (i.e. protecting username/password of the developer account) rather than this roku/devid/password.

If you publish a channel, it's permanently tied to that developer account. Only that account will be able to access the web portal to change it. Since you can re-key any Roku box to any ID/pass using a .pkg file generated by the original ID/pass combo, the devID/pass matters mostly when you publish something and then update it. The registry is tied to the devID.  If your users have made settings changes stored in the registry, you want to use the same devID every time you package/update that channel, otherwise the devID's won't match and the updated channel won't see the old settings, and will behave as if there were none. Whatever signing goes on happens in the box, and is not your concern.
Kinetics Screensavers
0 Kudos
Reply
muteki
Visitor
‎08-01-2018 05:10 PM

Re: App signing/packaging provides authenticity of the app?

Thanks for the response.  I think that confirms our observation.  In summary, app signing/packaging doesn't provide authenticity of the app, and protecting developer account is crucial to maintain authenticity of the app..   On the other hand, the roku device/devId/password in the "signing process" is solely used to ensure consistent view of the registry data during an upgrade.  (not much related to the tradition purpose of app signing)
0 Kudos
Reply
Need Assistance?
Welcome to the Roku Community! Feel free to search our Community for answers or post your question to get help.

Become a Roku Streaming Expert!

Share your expertise, help fellow streamers, and unlock exclusive rewards as part of the Roku Community. Learn more.