FAQ for API Keys and App Signing

[RobSpectre]

API keys are here! API keys are here!

Yesterday we opened up signups for API keys at here. Developer accounts and API keys are free.

Is my app going to break on the next release?
If your app is being distributed in the App Library, your app will not break. However, if you are distributing your application in your own repository, you will need a key or your apps will break. You can follow instructions on the wiki for distributing app signatures in your repository.

What is the devices tab all about?
If you would like to test your app on your Boxee Box before releasing, you can register your Box as a developer device to enable your app to run off of a USB key. Instructions on how to do this are available on the Devices tab in your Developer Profile.

What about the desktop client?
App signatures are currently required for embedded devices only.

Has anything in the API changed?
The <repository> element in your descriptor.xml is now required. For apps being distributed in the App Library, this value should be "tv.boxee". For apps distributed in your own repo, the value should be the same as the <id> element in your repository.xml.

How do I claim my existing app?
Currently switching an app over to your API key is a manual process - check in with developers [at] boxee [dot] tv if you have an update you need to release soon. Otherwise, sit tight - a solution is on its way.

When are these going to be required for apps running on the Box?
Soon. Like seriously soon. Sign your apps today. Seriously. Scout's honor.

Is this part of a secret government conspiracy to uncover my secret cache of 1970s-era Grateful Dead bootlegs?
If so, it has to be the most poorly executed in American history.

[Pablo4250]

Is this part of a secret government conspiracy to uncover my secret cache of 1970s-era Grateful Dead bootlegs?


I suspected a conspiracy all along, we buy a boxee, set it up expecting Netflix, then they roll out Netflix with some signal and turn us all into Zombies - I knew it...

Some of you were right all along...I am so gullable

[judgeschambers]

I got both my apps singed and working on the BBox today! Pretty easy.

Though, the <repository> tag was actually the top level URL to my repo and not my app ID. The automatic system would not recognize the uploaded zip until I added the <repository> tag to my descriptor.xml.

[viljoviitanen]

I got both my apps singed and working on the BBox today! Pretty easy.

Though, the <repository> tag was actually the top level URL to my repo and not my app ID. The automatic system would not recognize the uploaded zip until I added the <repository> tag to my descriptor.xml.

Yep.

I tried to follow the docs and and no success, then reverted to my old setup with a repository tag with the url and (unnecessary?) repositoryid tag with the id and it works.

I wish though there was a way to completely automate getting the app sig, I used to be able to publish new version to my repo with just one shell script and svn commit (which of course could be in the shell script but is not).

[transcendent]

Hi

Might be a question answered elsewhere. Apologies if it is.

If you're running your application off a USB key on the Box, where does the certificate file go ?

I see that there are device certificates, I'm guessing that this ought to go on the key's directory structure somewhere.

Also, do you need to add the repository tag to the XML descriptor file ?

Thanks

[judgeschambers]

Hi

Might be a question answered elsewhere. Apologies if it is.

If you're running your application off a USB key on the Box, where does the certificate file go ?

I see that there are device certificates, I'm guessing that this ought to go on the key's directory structure somewhere.

Also, do you need to add the repository tag to the XML descriptor file ?

Thanks

I've not done this yet on my bbox, but you have to get the device certified and that allows you to run the test app on the box without a key.

The key for the app, once you're ready to post to a repo and go public. When you get a key, it goes inside the Download folder along side your app's zip folder structure. (not inside the zip file).

See pic below and the key xml files are above my app zip folders in the Download folder.

[judgeschambers]

Yep.

I tried to follow the docs and and no success, then reverted to my old setup with a repository tag with the url and (unnecessary?) repositoryid tag with the id and it works.

I wish though there was a way to completely automate getting the app sig, I used to be able to publish new version to my repo with just one shell script and svn commit (which of course could be in the shell script but is not).

THis is not about publishing updates. The key is good for all updates. You can publish all the versions you want.

The key app is automated in the sense that you simply upload the zip folder and it's instantly provided. Then you get the key xml and upload it to your server in the app's Download folder. Done. Now you can update your app every day if you need to without getting a new key.

[viljoviitanen]

THis is not about publishing updates. The key is good for all updates. You can publish all the versions you want.

The key app is automated in the sense that you simply upload the zip folder and it's instantly provided. Then you get the key xml and upload it to your server in the app's Download folder. Done. Now you can update your app every day if you need to without getting a new key.

I thought he xml file is for the one exact zip file only. Change one bit of the zip and the signature is invalid.

(Edit: Forgot the obvious..) And after each update I need to get the xml though the web interface. It's not much work, but still something I'd like to do automatically.

[viljoviitanen]

Oh and here's my guess on how the api keys stuff work.

First public key crypto 101: There is a pair of keys which can be used so that stuff encrypted with one can be decrypted with the other and vice versa. Usually this is used so that one is "private" (known only by "you", or in this case, boxee server) and one is public (known by everyone, in this case, boxee box).

On registering as a developer, boxee generates a private and a public key for you. The xml file you get for the app is a signature, that is, a cryptograhic hash value of the zip encrypted with the private key.

Verification is probably something like boxee device downloading the app and the signature, getting the developers public key from the server, verifying somehow that the public key is really the one boxee had given you, then checking the signature (calculate the hash of the zip, compare it to to decrypted hash from the signature).

Or, it could be done so that boxee only has one key that it uses for all signatures (and then keeps a list of valid signatures) but probably not, as the xml file contains authority section, which implies that each dev has one keypair.

Now, because you need to send the zip to boxee to get the signature, boxee can then (later, if there are any problems) check the app and if needs be, somehow invalidate the signature, either by putting the exact app to a blacklist or removing the key from the list of valid keys.

Note: this is guessing. I can't be bothered to check the SP4 rc code, even if it was available (and it's not. Boxee: 1. you promised the code "later tonight" at sp4 rc release. 2. until you provide the code, you're violating the gpl.)

[Lilo]

I wish though there was a way to completely automate getting the app sig, I used to be able to publish new version to my repo with just one shell script and svn commit (which of course could be in the shell script but is not).

@viljoviitanen - I agree, What automating method you prefer:

1) A web service (authenticated)

OR

2) A keytool (+ a personalized key you download)

All app developers are encouraged to answer this and I'll try to add it to the long list of to-do(s) I've got going regarding app signing