Gracias por tu visita. Esta página solo está disponible en inglés.

Step 5: Sign Your App and Configure a Security Profile (VSK Fire TV)

For your production app, Amazon handles your APK signature based on your Amazon account. However, for testing an app that incorporates a video skill, you need to sign your APK and associate this signature with an Amazon security profile.

About Signing Your App During Development

Your app's signature is a hash value that is applied to every Android app when it is built. When you run your app from Android Studio (as you're developing your app), Android automatically signs your app with a debug key by default.

However, this default debug key provided by Android Studio won't be accepted by Fire TV for projects that include video skills, and your app won't run. Even during local development of an app with a video skill, you must sign your APK with a signature whose MD5 and SHA256 values are associated with an Amazon security profile. The security profile will provide you with an API key that you incorporate into your app to authorize the communication from Amazon Device Messaging.

Follow the steps below to customize the debug signing key in Android Studio in order to properly sign your app for Fire TV.

Create a Key to Sign Your App

The first step is to create a key to sign your app. Keys for signing your app are stored in a keystore. Generally, for Android apps there is a debug keystore and a release keystore. To create a signing key:

  1. If you already have a custom debug key (not the default Android debug key) to sign your app, make sure you know the keystore location, keystore password, key alias, and key password. Then skip to the next section: Automatically Sign App with Key.
  2. Assuming you don't have a custom debug key, in Android Studio, click Build in the top navigation and select Generate Signed Bundle / APK.
  3. In the "Generate Signed Bundle or APK" dialog box, select APK. Then click Next.
  4. Click Create new and define the fields for a new key. See Generate an upload key and keystore in the Android documentation for more details. Make a note of your keystore location, keystore password, key alias, and key password, as you will need this information in the next section. When finished, click Apply.

    Selecting keys to sign your app
    Selecting keys to sign your app
  5. Close the dialog box without generating the APK. Continue on to the next step.

For more information, see Generate a key and keystore in the Android documentation.

Automatically Sign Your App with the Custom Key

In the previous step, you created a custom key to sign your app. In this step, you will update the key that your debug profile uses in Android Studio. To customize the signing key used with your debug profile:

  1. Open your Fire TV app project in Android Studio.
  2. Go to Build and select Edit Build Types.
  3. Click Modules on the left.
  4. Click the Signing Configs tab at the top.
  5. Select debug.
  6. Configure your new debug signing configuration by selecting the Store File, Store Password, Key Alias, and Key Password based on the information noted from the previous section (Create a Key to Sign Your App).
  7. Click Apply and then OK to close the dialog box.
  8. In the left pane, expand Gradle Scripts and double-click your build.gradle (Module: app) file.
  9. Verify that an object called signingConfigs appears with details about your debug signing config profile. For example:

     android {
       signingConfigs {
          debug {
              storeFile file('/Users/yourusername/android_signature/androidkeys.jks')
              storePassword 'yourstorepassword'
              keyAlias = 'myandroidkey'
              keyPassword 'yourkeypassword'

    Now your debug app will be signed with an API key that matches the API key used in your Amazon Developer security profile (which you will create in an upcoming step). Fire TV will then authorize the app to install.

    For more information about signing your app, see Configure the build process to automatically sign your app in the Android docs.

    You can vary from the above process for signing your app as long as you keep the general principle in mind here — as you develop and run your app on Fire TV, sign your app with a key that isn't your default Android Studio debug key but rather is a key associated with a security profile on Amazon. (You'll associate this key with a security profile in an upcoming section.).

    Note that in the production version of your app, if you use the Amazon Appstore to sign your app (the default), the API key is provided automatically. However, if you sign the release version of your app using your own certificate, you will need to create an additional API key for the release version of your app.

Get the MD5 and SHA-256 Values from Your Key

You need to get the MD5 and SHA-256 values from your signing key before you can generate an API key from an Amazon security profile (described in the next step). To do this, you can use the keytool utility (a key and certificate management tool that is part of Java) to extract the MD5 and SHA-256 values. Or you can use the Gradle menu in Android Studio.

Using the Gradle side pane in Android Studio

In Android Studio, click the Gradle side pane on the right and expand it. Expand app > Tasks > android. Then double click on signingReport.

Signing Report in Android Studio
Signing Report in Android Studio

Using the keytool utility

To extract the MD5 and SHA256 values from your signing key:

  1. Copy the following command into a text file:


    /Library/Java/JavaVirtualMachines/jdk1.8.0_231.jdk/Contents/Home/bin/keytool -v -list -alias myandroidkey -keystore /Users/johndoe/androidkeys.jks -storepass mykeystorepassword -keypass mykeypassword


    "C:\Program Files\Java\jdk1.8.0_231.jdk\bin\keytool" -v -list -alias myandroidkey -keystore "C:\Users\johndoe\androidkeys.jks" -storepass italttby1J# -keypass italttby1J#
  2. Customize the parameters as follows:

    • Change the path to point to where your keytool utility is stored on your computer (or browse to where keytool is stored before running the command). The sample command assumes your keytool is located in a certain location that might not be the case on your computer.
    • Change myandroidkey to the alias for the key you're using to sign your app.
    • Change /Users/johndoe/androidkeys.jks or C:\Users\johndoe\androidkeys.jks to the path to the keystore.
    • Change mykeystorepassword to your key storage password.
    • Change mykeypassword to your key password.

    Customize these values with your own key information based on how you set up the key.

    If keytool is already added to your PATH, you might not need to specify the path before it. However, sometimes the MD5 value won't appear unless you supply the full path to keytool.

  3. Paste the customized keytool command into your terminal or command prompt and press Enter. The response will include the following "certificate fingerprints" (along with other information):

    Certificate fingerprints:
    	 MD5:  02:6C:8B:83:77:96:39:C8:E8:C6:45:AC:6A:CE:B2:5B
    	 SHA1: 45:40:AD:E1:0B:B2:AE:CC:CB:21:65:BD:5A:01:82:A8:07:29:73:D7
    	 SHA256: 12:8F:C1:5D:3D:E9:BD:00:E0:ED:77:B3:84:71:AB:8F:6E:7D:C0:9E:E5:FE:64:EF:8F:BD:DA:EF:77:1F:E8:5E

    Only the MD5 and SHA256 values are needed. Copy these MD5 and SHA256 values into a convenient location, as you will need them to create a security profile (described in the next step).

Create a Security Profile

A security profile associates your security credentials with your app. To create a security profile:

  1. Sign in to and click Developer Console. This takes you into the Appstore Developer Console (as opposed to the Alexa Developer Console).
  2. Click Settings and then click Security Profiles from the second row of subtabs.
  3. Click Create a New Security Profile.
  4. In the Security Profile Name field, give your security profile a friendly name (such as your app's name). Also type a description as desired in the Security Profile Description field.

    Naming your security profile
    Naming your security profile
  5. Click Save.
  6. Click the Android/Kindle Settings tab.

    Configuring the Security Profile
    Configuring the Security Profile
  7. Complete the following fields:

    Field Description
    API Key Name This does not have to be the official name of your app. It simply identifies this particular Android app among the apps and websites registered to your security profile.
    Package This must match the package name of your Android project. In Android Studio, expand your app folder, expand manifests, and double-click AndroidManifest.XML Look for the package name near the top. For example: com.acme.sample.hawaiiapp
    MD5 Signature This signature is used to verify your application. The MD5 signature must be in the form of 16 hexadecimal pairs separated by colons. For example: 02:6C:8B:83:77:96:39:C8:E8:C6:45:AC:6A:CE:B2:5B

    You extracted this value from your signing key using keytool in the previous section, Get the MD5 and SHA-256 Values from Your Key.
    SHA256 Signature This signature is used to verify your application. The SHA-256 signature must be in the form of 32 hexadecimal pairs separated by colons. For example: 12:8F:C1:5D:3D:E9:BD:00:E0:ED:77:B3:84:71:AB:8F:6E:7D:C0:9E:E5:FE:64:EF:8F:BD:DA:EF:77:1F:E8:5E

    You extracted this value from your signing key using keytool in the previous section, Step 5.3: Get the MD5 and SHA-256 Values from Your Key.
  8. Click Generate New Key.
  9. Under API Key, click Show and copy the API key. Save it in a convenient location, as you'll need to add it to your Fire TV project.

    API Key Details
    API Key Details
  10. Close the API Key Details window. Then click the Web Settings tab.
  11. Copy the Client ID and Client Secret into a convenient location. You will use the Client ID and Client Secret when you finalize your Lambda code.

    Copying the client ID and client secret
    Copying the client secret and client ID

Enable Login with Amazon for Your Security Profile

You need to enable Login with Amazon for your security profile:

  1. In the Developer Console, click Login with Amazon on the top navigation.
  2. On the Login with Amazon Console, select your security profile from the Select a Security Profile drop-down menu.

    Enable Login with Amazon for your security profile
    Enable Login with Amazon for your security profile
  3. Click the Confirm button.
  4. In the "Enter Consent Screen Information" dialog box, add a privacy URL and consent logo as desired, and then click Save. (If you're just testing, you can enter your website for the privacy URL for now.)

Add Your API Key into Your Fire TV Project

You need to add the API key from your security profile into your Fire TV project. This will enable your app to receive messages from Amazon Device Messaging (ADM). To add the API key to your app:

  1. In Android Studio, open your Fire TV app project.
  2. Inside your project's assets folder, create a file called api_key.txt. Placing the file in this specific directory is required.

    Sample App

    The sample app already has a file called api_key.txt. Press your spacebar twice and search for the file, and then remove its contents and paste in your API key.
  3. Insert your API key as the only data in this api_key.txt file.

Generate a Signed APK into the Developer Console

You need to generate your APK and upload it into the Developer Console so that you can associate your app with your security profile with a specific app's package name. To generate a signed APK from Android Studio:

  1. In Android Studio, generate a signed APK by going to Build and then selecting Generate Signed Bundle / APK. Select APK, and then click Next.
  2. Select the same signing key you configured earlier. Then click Next.
  3. Select the desired Destination Folder (this is where Android Studio will generate the built APK). Select the debug build (or whatever build has the signing key you customized). Select the V1 (Jar Signature) check box. Then click Finish.
  4. After Android Studio builds your project, it shows a small message window with a locate link to open the destination folder where your APK was built. Click locate and open your destination folder to easily access the APK.

    Locating your built APK
    Locating your built APK

Upload Your APK into the Developer Console

Now that you generated your signed APK, upload it into the Developer Console.

  1. If you're not already in the Develpoer Console, sign in to the Developer Console and go to the Dashboard (click the Developer Console link in the upper-right corner).
  2. Click Apps & Services and then click My Apps.
  3. In the lower-right corner, click Add New App and then select Android.
  4. Give your app a name in the App title field and a category in the App category field. (More information about these fields is provided in Add General Information in the App Submission process.)
  5. Click Save.
  6. Click the APK Files tab. If the fields aren't already editable, click Edit in the lower-right corner.
  7. Drag the APK from the destination folder (where you generated it) over to the Drop APK here box in the APK Files tab in the Developer Console.
  8. Complete the other required fields — select a check box in Language Support (e.g., English), and select the Explore Compliance check box.

    More information about the APK Files tab is available in Upload APK Files. You can do all of this later as per the documentation in Getting Started with App Submission. For now, you just need to have an app to attach the security profile to. The security profile requires a package name.

  9. Click Save.

Attach the Security Profile to Your App

You need to attach the security profile to your app. This will allow your app to be authorized on Fire TV. To attach the security profile to your app:

  1. If you're not already viewing your app in the Developer Console, sign in to and click Apps & Services and then select My Apps. Then select your app.
  2. In the first row of subtabs below your app's name, click the App Services tab.

    Selecting App Services
    Selecting App Services
  3. In the Security Profile section, expand the Select existing security profile or create new link. Then in the Security Profile drop-down that appears, select the security profile you created earlier and click Enable Security Profile.

    Selecting the security profile for your app
    Selecting the security profile for your app

    You will see a confirmation message that says, Security profile "{Name}" has been successfully enabled for your app with details about the attached security profile.

  4. In the Device Messaging section, click the Enable Device Messaging button.

    Enable Device Messaging
    Enable Device Messaging
  5. This same security profile will be shown as attached for the Login with Amazon sections as well.

    Note that once you attach a security profile to an app, you cannot remove or change the security profile's attachment to the app.

Next Steps

Continue on to the next step: Step 5: Create and Deploy a Lambda Package.

(If you run into any issues that prevent you from continuing, see Troubleshooting.)