Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TheEndless
Channel Surfer

Re: open roku .pkg after encrypting

"destruk" wrote:
Sideloading a pkg file and running it on the roku does work. I tried it a couple weeks ago and it was fine.
The 'passwords' to key an app aren't insecure. If you kept the password safe then I don't think anyone would be able to brute force it open.

If you can side-load (which I just tested, and can verify does work, despite the documentation.. even if your dev key doesn't match :?), then you can debug, which gives access to the full source code as you step through it (which I also just tested). It wouldn't be easy to capture, but it certainly wouldn't be impossible with a scriptable telnet client, and it doesn't require brute force.

Roku, please revisit this functionality, so it works as the documentation suggests...
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
RokuKevin
Visitor

Re: open roku .pkg after encrypting

We agree that we should not allow side-loading of .pkg files. When we added that capability, we weren't thinking of the use case of a developer sharing a package with a third party client. This ability is there for now, but in an upcoming release we'll take it away.

Endless, when you share your .pkg do you also plan on sharing the passwd to the key? We're thinking of not allowing any side-loading of .pkg files so even if the client had the key (to create their own future updates) they wouldn't have access to the source in the .pkg.

--Kevin
0 Kudos
TheEndless
Channel Surfer

Re: open roku .pkg after encrypting

"RokuKevin" wrote:
We agree that we should not allow side-loading of .pkg files. When we added that capability, we weren't thinking of the use case of a developer sharing a package with a third party client. This ability is there for now, but in an upcoming release we'll take it away.

Great! Thanks!

"RokuKevin" wrote:
Endless, when you share your .pkg do you also plan on sharing the passwd to the key? We're thinking of not allowing any side-loading of .pkg files so even if the client had the key (to create their own future updates) they wouldn't have access to the source in the .pkg.

Not typically, no. I usually only provide the password/key with the source.
I can actually see some value in being able to side-load a .pkg file, so requiring the password to do so seems like a reasonable compromise.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
Need Assistance?
Welcome to the Roku Community! Feel free to search our Community for answers or post your question to get help.

Become a Roku Streaming Expert!

Share your expertise, help fellow streamers, and unlock exclusive rewards as part of the Roku Community. Learn more.