Developer Blog

Boxee API Keys Are Here!

As you may have heard via email and on the forums, the upcoming SP4 release for the Boxee Box will include the introduction of API keys for Boxee developers. Only barely eclipsed by the news that the White Stripes are breaking up, the announcement of this new process has generated a lot of questions and we’re happy to report that the interface to get your API key is now live here.

In the next release of Boxee, all apps running on the Boxee Box will need to be signed by an API key. What does this mean for you and your application?

Here are some quick answers to the most common questions:

1) Why are you doing this?

This rollout is in reaction to an increasingly common security requirement among premium content providers. Distributing API keys to create signatures for applications is a frequent feature of the Smart TV space and we’re following suit.

2) What do I need to do?

If your app is in the Boxee App Library, you don’t need to do anything. Your app is already signed for you and will not be affected by the next release. If you are distributing your app through your own repository, we recommend you get an API key and get your application signed.

3) How do I sign up for an API key?

You can sign up for a developer account and get issued an API key by going here and signing up for a developer account. Developer accounts on Boxee are of course free and keys are generated automatically.

4) How do I sign my app?

Once you have signed up for a profile, you can get your app signed here.

1. Login to boxee.tv
2. Navigate to http://boxee.tv/developer
3. If you haven’t already, register as a developer by filling out the profile form
4. Click on the Apps tab
5. Upload the zip of your application that you will distribute in your repository
6. Click “All Versions and Signatures”
7. Click “Download Signature”
8. Place the downloaded xml file in your repository’s download directory

    5) Should I sign up even if I don’t maintain my own repository?

    Yes! We’ll be using Boxee API keys in the future for making available new services and features for developers. Sign up now and register your apps.

    We are encouraging all developers maintaining their own repositories sign their apps as soon as possible. If you have any problems or questions, I’m here - you can get ahold of me through the following media:

    Updated: 6) Are there any changes to the API?

    Be sure your descriptor.xml has a <repository> element - it is now a required. For apps submitted to the App Library this value should be “http://dir.boxee.tv/apps/”.

    • Email: developer [at] boxee [dot] tv
    • Twitter: @boxee_api
    • IRC: #boxee on FreeNode
    February 3, 2011 at 11:18 pm

    26 Responses to “Boxee API Keys Are Here!”

    1. Kermonk says:

      Bad implementation. If you hand out the keys you will be held responsible for what addons do - just wait and someone will hit you with a lawsuit.

      Second, whilst I might look into doing a few handy apps for myself, there is no way in hell I’ll try now if i have to give phone number and home address etc. None of your business.

      • Rob Spectre says:

        Sorry you feel that way.

        • Kermonk says:

          I’m sorry too

          • Fraggs says:

            You pretend no other devices/services use API keys, you pretend like it’s some foreign concept…. You’re programming on Boxees platform so they make the rules. API’s can only lead to good things so why argue it? You really want to be sodomized with rules and regulations? Go develop something on an Apple platform.

      • Prospero424 says:

        Registering as a developer with your phone #, etc. is only required if you want to get your app signed so (for example) it can be included in the official public Boxee repository.

        If you want to author an app anonymously, all you have to do is put it in a 3rd-party repo. It won’t get signed because Boxee has no reason to trust you, but if Boxee users choose to add your repo, your app will still run on Boxee just fine.

        As for Boxee incurring some kind of liability, well, they could already be sued for apps being hosted by them in their official repo. This really doesn’t change anything substantial on that front. They’ll just need to continue to be careful in what they allow onto the official Boxee repo.

        • Viljo Viitanen says:

          Actually only 3rd party repos need the manual signatures as boxee handles their repos signatures themselves. Anyway the maintainer of the 3rd party repo can get the signature and leave the developers identity anynomous. Of course it’s then the responsibility of the repo maintainer to check the app doesn’t break the api rules.

          • Kermonk says:

            @Viljo Viitanen says:

            What are you saying? Is it the repository who needs to be signed?
            Or the people running the repository who needs to submit it? Seems more information is needed about this.

            “Of course it’s then the responsibility of the repo maintainer to check the app doesn’t break the api rules.”

            And how can you even break the api rules. “You are not allowed to use the Hijack_Netflix routine” - no kidding.

            • Viljo Viitanen says:

              Apps need to be signed but it doesn’t matter who signs them. Could be the dev, could be repo maintainer, could be your mom who registered as a developer at boxee. Point is boxee gets a copy of every app and can stop them from running.

              I posted in the forum my guess on the details.
              forums.boxee.tv/showthread.php?p=159855#post159855

        • Kermonk says:

          Are you sure about that? When they posted the new firmware they said 3d party apps wouldn’t work unless they were signed also.

          • Prospero424 says:

            Ah, yes, I read it wrong. I thought it was only “suggested” that apps in 3rd-party repos get signed. It seems this is required. And yes, you have to sign up as a developer in order to get signed. As previously mentioned: this is how pretty much every successful commercial app ecosystem out there is set up.

            BUT the API keys used for signing aren’t attached to the app itself or to the repository, they’re attached to the developer.

            Anyway, this isn’t the first time that the introduction of code signing has sparked controversy, and it won’t be the last. Every app service out there has to strike a balance between openness and security. The balance that Boxee has chosen weighs in decisively on the open side relative to other successful systems.

            No, it’s not ideal. But then, what is?

            I will say that requiring a phone # and address is rather silly for two reasons:

            1. They have no way to verify that the address or phone # given is valid.

            2. All that is really needed is a way to contact the developer if the need arises, which can be accomplished with an email address just fine.

            It almost seems like a psychological ploy to try to influence developers to exhibit good behavior. It’s a bad idea and it should go away. The rest of the signing process/system I have no problem with.

            • Prospero424 says:

              Although if it were up to me I’d only require that apps wishing to be placed within the official repository be signed. Then make it clear to the end user when they go to add a custom repository within Boxee what the risks are and that they are assuming liability by adding an untrusted source for apps.

    2. Can’t wait to work on some Boxee apps, love the platform, may try my hand at a bit of development on the big screen!

    3. killerbeesateme says:

      If you register your boxee box as a testing device, will that remove access to premium content such as Vudu and Netflix (whenever it arrives) on that device?

      • Rob Spectre says:

        Nope - just lets you run your registered apps on a USB key on the device.

        • minimeh says:

          I guess I’m being a little thick. In my defense, I am new to developing on the Boxee Box, although I am well on my way towards completing my first app.

          So far (and I have not upgraded to the RC that enforces app signing), I’ve been testing off of a usb thumb drive by including “true” in my descriptor.xml.

          I thought that going forward, that would work only on registered devices so I registered my box.

          Now reading here that registering the device “just lets you run your registered apps on a USB key on the device.”, it seems that I still need to go through the app registration process to generate a new key for every iteration of the app during development just to run it from the usb key on a registered device.

          Is that correct? Seems unlikely as that seems incredibly cumbersome and quite a hindrance to new developers learning the ropes.

          I may have missed it, but some clear, concise and thorough documentation is needed for the app and device registration rules. What I’ve seen so far seems a bit sketchy.

          • minimeh says:

            The “true” above was originally the test-app true element before being reduced to “true” in the posting.

    4. Flabeo says:

      Sounds like a great step forward.

    5. Louis says:

      What a bunch of ridiculous whining. It should be relatively obvious to anyone paying attention to Boxee or the space that they operate in that this requirement was not initiated by the Boxee team. It doesn’t take a complex game of connect the dots to see that most likely this is part of the security requirements being made by the Netflix crew so that if your app somehow is able to “borrow” their streaming content in a way that isn’t in accordance with their rules then they can track you down. That doesn’t work with a global group of anonymous developers. And before people start whining about Netflix, I think we can all agree that a large part of those rules are forced down everyone’s throat by the big content companies.

      If as a developer you want to play in a sandbox with billions of dollars worth of “intellectual property” at your fingertips then most likely the companies that own that IP are going to want to know who you are and how to reach you. Whining about it just shows immaturity and unprofessionalism, Boxee doesn’t need either.

    6. kalsriv says:

      Hi
      I am new to the boxee development. Does this mean that I need to have this key to test my app locally at my computer. This is because I am trying to run some descriptor.xml as given in different template example and nothing is running up.

      • Rob Spectre says:

        You do not need signatures for the desktop software - this is for developing on the Boxee Box only.

        • John says:

          It’s obvious that the PC version is now completely unmaintained. Why is it even still available for download?

    7. John says:

      How can I develop my application without leaking my intellectual property? I’m not interested in uploading a zip file to boxee of my unfinished work. I’m especially not interested in uploading 50 zip files per day, whenever I make a tiny change.

      I’ve downloaded a dev-certificate.xml, is there a way I can use it on my usb pendrive?

    8. [...] This post was mentioned on Twitter by Kai Armstrong, Shawn & Rob. Shawn & Rob said: API Keys are here - sign up now for you @boxee developer profile: http://bit.ly/goOwvd [...]