How can this be OK from a legal / liability perspective? Seems like Roku would be at least partly liable for problems due to negligence.
We are running this by our lawyers - I'll post back here what they say to help others who run into this situation
The proper, legalistic way of doing it is probably you handing signed bundle - with unique for that client key - "their key", that they may want to use for other app (for reasons of shareing registry data between apps). And it's their responsibility to upload the bundle, add app description and snapshots etc. It is not as complicated as producing the bundle.
Now, i imagine they could also ask you to do the upload and review submittal for them: by them temporarily changing the password so you can access their account remotely for full service - and later revoking access. Or imaginary, your rep to do it supervised in person on their hardware. I understand you don't like it - but in a way it's like trusting a handyman or housekeeper to work in your house in your absence. Or supervise them. Does not require to let them keep a house key though