Step 9: Sign Your App and Configure a Security Profile (VSK Fire TV)
This page will lead you through the process to sign your app and create your API key to authorize it.
Even if you're just exploring the sample app, you still need to perform all the steps in this topic.
- About Signing Your App During Development
- Create a Key to Sign Your App
- Automatically Sign Your App with the Custom Key
- Get the MD5 and SHA-256 Values from Your Key
- Create an Amazon Developer Account
- Create a Security Profile
- Add Your API Key into Your Fire TV Project
- Attach the Security Profile to Your App
- Generate a Signed APK for the Developer Console
- Upload Your APK into the Developer Console
- Complete App Submission Information
- Submit Your App to Live App Test (LAT) (New Apps Only)
- Next Steps
About Signing Your App During Development
Your app's signature is a hash value that is applied to every Android app when it is built. When you run your app from Android Studio (as you're developing your app), Android automatically signs your app with a default debug key by default.
However, this default debug key provided by Android Studio won't be accepted by Fire TV for projects that incorporate the VSK, and your app won't run. Even during local development of an app (sideloading onto Fire TV), you must sign your APK with a signature whose MD5 and SHA-256 values are associated with an Amazon security profile. The security profile will provide you with an API key that you incorporate into your app.
Follow the steps below to customize the debug signing key in Android Studio in order to properly sign your app for Fire TV.
Create a Key to Sign Your App
For a pre-release or "debug" version of your app, you must create an API key and store it in your project. To add the API key to your app:
- Create a file called
api_key.txt
located inside your project's assets folder. Placing the file in this specific directory is required. - Insert your API key as the only data in this
api_key.txt
file.
For a release or "production" version of your app, if your app uses the Appstore SDK, you must create an additional API key for the release version of your app. If using the older IAP SDK v2.0 and you sign your app using your own certificate, you must also create an API key for the release version of your app. In contrast, if using the IAP SDK v2.0 and you allow Amazon to sign your app on your behalf, you do not need to create an additional API key. For a summary, see the following table.
You can find your Appstore certificate hash values in the Developer Console to create the API keys for existing apps. Go to My apps > select your app > Upload Your App File > Appstore Certificate Hashes.
Here's a quick reference for how you should sign your app:
Uses Appstore SDK | Self-signs release app | Production or development version | How to sign your app |
---|---|---|---|
prod | The API key is automatically generated and injected for release apps, no need to do anything else. | ||
prod | Developer must create API key using their own release certificate hashes and add it to assets. | ||
prod | Developer must create API key using release certificate hashes from Developer Console and add it to assets | ||
prod | Developer must create API key using their own release certificate hashes and add it to assets. | ||
any | any | development | Developer must create API key using their own release certificate hashes and add it to assets. |
Keys for signing your app are stored in a keystore. For Android apps, usually there is a debug keystore and a release keystore. To create a signing key:
- If you already have a custom debug key (not the default Android debug key) to sign your app, make sure you know the keystore location, keystore password, key alias, and key password. Then skip to the next section: Automatically Sign App with Key.
- Assuming you don't have a custom debug key, open Android Studio and click Build in the top navigation and select Generate Signed Bundle / APK.
- In the "Generate Signed Bundle or APK" dialog box, select APK. Then click Next.
- Click Create new and define the fields for a new key. See Generate an upload key and keystore in the Android documentation for more details. Fill out at least one of the fields in the Certificate form. When finished, click OK.
-
Make a note of your keystore location, keystore password, key alias, and key password, as you will need this information in the next section.
For more information, see Generate a key and keystore in the Android documentation.
- Close the dialog box without proceeding through the other wizard screens to generate the APK. Continue on to the next step.
Automatically Sign Your App with the Custom Key
In the previous section (Create a Key to Sign Your App), you created a custom key to sign your app. In this step, you will update the key that your debug profile uses in Android Studio. To customize the signing key used with your debug profile:
- Open your Fire TV app project in Android Studio and go to File > Project Structure.
- Click Modules on the left.
- Click the Signing Configs tab at the top.
- Click the + button and create a new config called firetv.
-
Configure your new firetv signing configuration by selecting the Store File, Store Password, Key Alias, and Key Password based on the information noted from the previous section (Create a Key to Sign Your App).
Tip: When you choose the Store Password and Key Password, Android lets you store this information as a variable ($var
). Storing passwords as variables is recommended. Otherwise, your passwords will be present in thebuild.gradle (Module: app)
file, making any Git checkin problematic. When you store these values as a variable, thestorePassword
andkeyPassword
values in thebuild.gradle
file are just displayed asvar
in your project's files, and the actual value remains local to your computer. - Click Apply and then OK to close the dialog box. Gradle syncs your project with the updated signing information.
- In the left pane, expand Gradle Scripts and double-click your
build.gradle (Module: app)
file. -
Verify that an object called
signingConfigs
appears with details about yourfiretv
signing config profile. For example:android { signingConfigs { firetv { storeFile file('/Users/johndoe/android_signature/androidkeys.jks') storePassword var keyAlias = 'myandroidkeys' keyPassword var } } ... } ... }
The
buildTypes
property should also specify to use thefiretv
signing key for both release and debug builds. If these are commented out in the sample app, uncomment them.buildTypes { release { minifyEnabled false proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro' signingConfig signingConfigs.firetv } debug { signingConfig signingConfigs.firetv } }
Now your builds will be signed with an API key that will match the API key used in your Amazon developer security profile (which you will create in an upcoming step). Fire TV will then allow the app to be installed on a Fire TV device.
For more information about signing your app, see Configure the build process to automatically sign your app in the Android documentation.
You can vary from the above process for signing your app as long as you keep the general principle in mind here — when you develop and run your app on Fire TV, sign your app with a key that isn't your default Android Studio debug key but rather is a key associated with a security profile on Amazon. (You'll associate this key with a security profile in an upcoming section.)
Get the MD5 and SHA-256 Values from Your Key
You need to get the MD5 and SHA-256 values from your signing key before you can generate an API key from an Amazon security profile (described in the next step). You can get these values from the Gradle menu in Android Studio by doing the following:
- In Android Studio, click the Gradle side pane on the right and expand it.
- Expand [app name] > Tasks > android.
-
Double click signingReport.
Gradle reads from your keystore and shows the MD5 and SHA-256 values in a bottom pane.
- Only the MD5 and SHA-256 values are needed. Copy these MD5 and SHA-256 values into a convenient location, as you will need them to create a security profile.
Create an Amazon Developer Account
If you don't yet have an Amazon developer account, create an account at developer.amazon.com by clicking Sign In in the upper-right corner and then click Create your Amazon Developer account. If this is your first time, you will need to complete some informational fields. See Create a Developer Account for more details.
Create a Security Profile
A security profile associates your security credentials with your app. You'll create this security profile in the developer portal and include the MD5 and SHA-256 values in the profile's configuration. This will create an authorization between your app and the security profile. To create the security profile:
- Sign in to https://developer.amazon.com and click Developer Console. This takes you into the Appstore Developer Console.
- Click Settings and then click Security Profiles from the second row of subtabs.
- Click the Create a New Security Profile button (in the lower-right corner).
-
In the Security Profile Name field, give your security profile a friendly name (such as your app's name). Also type a description as desired in the Security Profile Description field.
- Click Save.
-
Click the Android/Kindle Settings tab.
-
Complete the following fields:
Field Description API Key Name This does not have to be the official name of your app. It simply identifies this particular Android app among the apps and websites registered to your security profile. Package This must match the customized package name of your Android project. In Android Studio, find your manifest in app > manifests > AndroidManifest.XML
and look for thepackage
name near the top. For example:com.example.vskfiretv.mystreamz
MD5 Signature This signature is used to verify your application. The MD5 signature must be in the form of 16 hexadecimal pairs separated by colons. For example: 02:6C:8B:83:77:91:39:C3:E8:C6:45:AC:6A:CE:B2:5B
. You extracted this value in a previous section, Get the MD5 and SHA-256 Values from Your Key.SHA256 Signature This signature is used to verify your application. The SHA-256 signature must be in the form of 32 hexadecimal pairs separated by colons. For example: 12:8F:C1:5D:3D:E9:BD:00:E0:ED:77:B3:84:71:AB:8F:6E:7D:C0:9E:E5:FE:64:EF:8F:BD:DA:EF:77:1F:E8:5E
. You extracted this value in the previous section, Get the MD5 and SHA-256 Values from Your Key. - Click Generate New Key.
-
Under API Key, click Show and copy the API key and save it in a convenient location.
Note: If different versions of your app have different signatures or package names, such as for one or more testing versions and a production version, each version will require its own API Key. From the Android/Kindle Settings of your app, click the Add an API Key button to create additional keys for your app (one per version). Note that you can use the same security profile for multiple apps. Inside the security profile, you can add multiple API keys and associate each key with a different app. - Close the API Key Details window.
Add Your API Key into Your Fire TV Project
You need to add the API key from your security profile into your Fire TV project. This will enable your app to receive messages from Alexa. To add the API key to your app:
- In Android Studio, open your Fire TV app project.
- Inside your project's assets folder, create a file called
api_key.txt
. (If you don't have an assets folder with this file in your app, create the folder and file.) Placing the file in this specific directory is required. - Insert your API key as the only data in this
api_key.txt
file.
This
api_key.txt
file is already present in the sample app. Press Shift twice and type the file name to quickly locate it. Replace <INSERT YOUR API KEY HERE>
with your API key.Attach the Security Profile to Your App
You need to attach the security profile to your app. This will allow your app to be authorized on Fire TV. To attach the security profile to your app:
-
If necessary, sign in to https://developer.amazon.com and do one of the following:
- If you're working with an existing app, go to Apps & Services > My Apps. Then select your app.
- If you're creating a new test app for the sample app, click Add New App > Android. Complete the required fields (title, category, etc.) on the New App Submission screen, and then click Save.
- In the column of subtabs on the left, click the App Services tab.
- In the Security Profile section, expand the Select existing security profile or create new link.
-
In the Security Profile drop-down that appears, select the security profile you created earlier and click Enable Security Profile.
You will see a confirmation message that says, Security profile "{Name}" has been successfully enabled for your app with details about the attached security profile.
Note that once you attach a security profile to an app, you cannot remove or change the security profile's attachment to the app.
Generate a Signed APK for the Developer Console
You need to generate a signed APK and upload it into the Developer Console so that you can submit your app into Live App Testing (LAT) in a later step. The APK you generate must be a release APK rather than a debug APK. To generate a signed APK from Android Studio:
- In Android Studio, generate a signed release APK by going to Build and then selecting Generate Signed Bundle / APK. Select APK, and then click Next. (Do not generate a debug APK, as it will not be accepted by the Developer Console.)
- Select the same signing key you configured earlier. Then click Next.
- Select the desired Destination Folder (this is where Android Studio will generate the built APK). Select the release build (note that Appstore will reject debug builds). Select the V1 (Jar Signature) check box. Then click Finish.
-
After Android Studio builds your project, it shows a small message window with a locate link to open the destination folder where your APK was built. Click locate and open your destination folder to easily access the APK.
If this window disappears, you can find the info by clicking the Event Log tab in the lower-right corner. The location within your project is app/release and the file's default name is
app-release.apk
.
Upload Your APK into the Developer Console
Now that you generated a signed release APK, upload it into the Developer Console.
To upload your APK:
- If necessary, sign in to the Developer Console and go to the Dashboard.
- Go to Apps & Services > My Apps.
- Click the Add New App button and then select Android.
-
Give your app a name in the App title field and a category in the App category field. For more information about these fields, see Step 1: Upload Your App File in the app submission process.
Important: Alexa will identify your app by the App title field in the Appstore submission tabs. For example, if you name your app "MyStreamz," when you request a title from your app, Alexa will respond, "Getting video title from MyStreamz." Alexa does not get your app's name from a file inside your Android project. - Click Save.
-
On the Upload Your App File screen, drag the APK from the destination folder over to the Upload your app file box and complete the other required fields.
For more details about this screen, see Step 1: Upload Your App File.
-
Select a checkbox in the Language Support section (for example, English).
The remaining details you'll complete in the next step, as you follow the Getting Started with App Submission guide. For now, you must have an app to attach the security profile to. The security profile requires a package name.
Complete App Submission Information
Complete all the required information on the app submission screens. You should not submit your app into the Appstore at this time. To complete the information:
-
On each screen, provide the required information. For details on the fields, see Submitting Apps to the Amazon Appstore.
Tip: You need to upload image assets during the submission workflow. If needed, you can download sample images. -
When you've completed each screen, a green check mark appears for the screen in the sidebar. Make sure the Upload Your App File, Target Your App, and Appstore Details screens have a green check mark.
Submit Your App to Live App Test (LAT) (New Apps Only)
You don't need to submit your app to the Appstore, but if you have a new app, or if you're working with the sample app, you do need to submit the app to Live App Testing (LAT). When you submit your app to LAT, Amazon's server can map your app's package name to your catalog. In the catalogs
property in the RemoteVideoPlayer Supported Capabilities, you indicate your partner ID, but Amazon gets your app's catalog through a mapping of your app title and ASIN. To perform this mapping, your app must either be in a LAT or in a production environment.
To start a LAT for your app:
- In the Developer Console, go to Apps & Services > My Apps and click your app.
- In the left sidebar, click Live App Testing.
-
If this is the first time you are setting up a test for this app, select Create a new Live App Test.
If you have previously set up a test for this app, you are taken to the Live App Testing dashboard. Click New Test.
-
Complete all the required fields and click Submit. For more details on how to start a LAT, see Create a Live App Test.
There's no need to add testers for this LAT, since the LAT submission is purely so that Amazon's systems can map your catalog to your package. You will not be using the LAT version of the app and can ignore any LAT emails.
Note: You won't need to upload your app to LAT to do any testing. You will test your app by connecting to a Fire TV device through ADB from Android Studio. You do not need to submit each update into LAT to test changes to your app. (You are still free to use LAT for testing, though.)Warning: Do not change your app's name after submitting it to LAT. Doing so will undo the catalog mapping with your app. The same requirements apply to the sample app. If you change the App Title value in the Amazon Developer Console, you will undo the backend mapping of your catalog with the sample app and Alexa will no longer respond to requests.
Next Steps
Go to the next step: Step 10: Test Utterances and Observe Logs.
Last updated: Oct 12, 2023