I'm going to publish my first package, it will be private at first while beta testing. I have created the package and saved the password. Is the password the only thing I need to save to be able to recreate the package in the future? Is there a keystore or anything like that?
Keep the package (.pkg file) you downloaded from your Roku device and the password. With those two things you can rekey any device in the future when you need to update your channel. You'll probably want to keep the .zip file that went with the .pkg file (if you're not using some kind of version control system) since there's no way to examine the packaged/encrypted code should you need to in the future.
I do have source control. Is it recommended to store the zip and pkg on git?
All I did was use the deployment script and it generated the pkg (I guess maybe it downloaded it from the device?). I guess I'll have another developer test on his end to make sure it is working. I'm assuming if I try to publish a package on my channel with the wrong key then it won't work since I already published it once with a different key?
I use git for my source control, but you can use pretty much anything. You don't really need to keep the zip if you're good about source control, but I still like to keep the zip after each time I publish since I'm not real good about committing things in git at the appropriate times and it's just easier for me to find the zip that went with a release than going through git (I'm far from a git expert). There's really no need to keep any more than one package since there's no way to "depackage". Any package can be used to rekey a unit, so you just need to keep one with its password. I'm sure your deployment script downloaded the pkg from the Roku since I don't believe there's any way to create a pkg without a Roku device.
You can publish with different keys, but it's definitely not recommended and you'll get no error/warning that you're using the "wrong" key. You'll lose any registry entries your channel has created since they're tied to the key. You can use the same key for multiple channels and then they can share registry entries. There's rarely a need for that, but I also don't want to go about creating a new key for every channel I create. When a user removes a channel (or all channels that used the same key), the registry entries associated with that key are purged from the unit on the next reboot/update.
I suppose technically you don't even need to keep the pkg since you can always download it from the developer site. It downloads with a .zip extension, but it's really a pkg. I just like to keep one around for each one of my projects.
That's about it except that the key is generated in the first place by running genkey when you Telnet to port 8080. It's genkey that produces the key and password pair. Is that handled by your deployment script? If so, make sure every time your deployment script runs it's not generating a new key (and spitting out a new password).
The Roku unit stores the key somewhere and uses that along with the password to encrypt/sign the package. You can change the current key by rekeying using the web interface (uploading a package file and providing the appropriate password) or running genkey to produce a new key/password pair. You can develop with any box that's using any key (or none at all). It's only when you create the final package to upload to the developer site that you want to make sure the box is keyed properly.
I have to take something back about trying to upload a package with a different key. In the past the developer site didn't complain about the key being different from the previous package, but I think it does now. It's not something I've tried recently.
My channel doesn't have any data, it is fully controlled from a phone app. The only thing that matters is that the app id be the same so the app on the phone can launch it. Is there some other way I can verify the pkg is signed the same way?