Help

Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TheEndless
Channel Surfer
‎03-03-2011 02:47 PM

Re: open roku .pkg after encrypting

"destruk" wrote:
Sideloading a pkg file and running it on the roku does work. I tried it a couple weeks ago and it was fine.
The 'passwords' to key an app aren't insecure. If you kept the password safe then I don't think anyone would be able to brute force it open.

If you can side-load (which I just tested, and can verify does work, despite the documentation.. even if your dev key doesn't match :?), then you can debug, which gives access to the full source code as you step through it (which I also just tested). It wouldn't be easy to capture, but it certainly wouldn't be impossible with a scriptable telnet client, and it doesn't require brute force.

Roku, please revisit this functionality, so it works as the documentation suggests...
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
Reply
RokuKevin
Visitor
‎03-04-2011 11:02 AM

Re: open roku .pkg after encrypting

We agree that we should not allow side-loading of .pkg files. When we added that capability, we weren't thinking of the use case of a developer sharing a package with a third party client. This ability is there for now, but in an upcoming release we'll take it away.

Endless, when you share your .pkg do you also plan on sharing the passwd to the key? We're thinking of not allowing any side-loading of .pkg files so even if the client had the key (to create their own future updates) they wouldn't have access to the source in the .pkg.

--Kevin
0 Kudos
Reply
TheEndless
Channel Surfer
‎03-04-2011 11:15 AM

Re: open roku .pkg after encrypting

"RokuKevin" wrote:
We agree that we should not allow side-loading of .pkg files. When we added that capability, we weren't thinking of the use case of a developer sharing a package with a third party client. This ability is there for now, but in an upcoming release we'll take it away.

Great! Thanks!

"RokuKevin" wrote:
Endless, when you share your .pkg do you also plan on sharing the passwd to the key? We're thinking of not allowing any side-loading of .pkg files so even if the client had the key (to create their own future updates) they wouldn't have access to the source in the .pkg.

Not typically, no. I usually only provide the password/key with the source.
I can actually see some value in being able to side-load a .pkg file, so requiring the password to do so seems like a reasonable compromise.
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
Reply