You cannot decrypt the package, only the box has that capability. The best you can do is load the .pkg on a Roku in developer mode and see what contents you can gather through the BrightScript debugger.
You would need to be able to sideload signed packages in order to retrieve and rekey the roku.
That being said, ROKU employees have offered to provide the original source files to individuals on request in specific cases in the past, so why this functionality isn't available eludes me. It's not like pkg files are easily obtainable outside of the roku channel store AFAIK.
I'm talking about actually loading and running a pkg file. I didn't think you could do that.
"Bottom of page 12 of DeveloperGuide.pdf" wrote:
The Application Installer page only accepts applications using the zip file format. This process is often referred to as “side-loading” your application. It does not allow installation of signed (.pkg) applications package files. The .pkg file must be distributed through the channel store mechanism as either a published or private application.