12
5
I am using Syncthing, which is an application to sync files between two or more computers. I believe Syncthing (on github) needs to be allowed to Accept incoming network connections to work properly.
Mac OS X has a build-in firewall, which constantly asks me, if I want to allow syncthing to accept incoming network connections in form of a pop-up window. Usually, this only is asked once for an application, but for some reason this pop-up appears at least 4 times a day.
It might be related to an automated update functionality that results in a new binary showing up once in a while (similar to what Google Chrome does). However, the update frequency of this application is much lower compared to the amount of pop-ups I am receiving.
Any idea what I could do to make Mac OS X stop asking me this question for a specific application or is there just no way around it?
It would be great if there was also a default choice that would be made in case I am away from the machine. Any idea how this could be accomplished - without turning the firewall off?
pretty good answer - I found that default setting you mentioned, but it's not satisfactory as all incoming connections will be enabled automatically this way, but I guess that's the only option – Chris – 2015-05-09T16:42:18.070
1
@Chris, if you're (rightfully so) concerned about signed applications being allowed to accept incoming connections, then please note that the OS X firewall only filters incoming connections. It allows all outgoing connections, so from a security point of view I'd say that any other firewall is preferred over the OS X one. (But some disagree about that, while others disagree with those who disagree...)
– Arjan – 2015-05-09T17:32:20.623So, @Chris, any results for the signature check? And on removing the application from the firewall settings to see if "Allow" sticks after that (maybe until the next update...)? – Arjan – 2015-05-09T17:35:09.997
thanks for the hints - I am in fact using LittleSnitch to have a better firewall for the reasons you explained, but still have the OS X firewall enabled - I will test removing it from there and see if that does anything
– Chris – 2015-05-13T16:01:16.027I realised that
syncthing
was present multiple times inside the OS X Firewall settings. I removed all of them and restarted the application. I am waiting to see if the constant nagging has now stopped :) – Chris – 2015-05-18T10:46:45.443Ah, nice, @Chris. Did you ever run the
codesign --verify
command? – Arjan – 2015-05-18T11:19:19.327Yes, I did try it - with mixed results. For this to make sense you need to know that I compiled a syncthing.app myself, which contains and manages another syncthing executable, which I do not compile and is periodically updated by itself. The signature for the internal syncthing appears valid, but the compile syncthing.app reports
a sealed resource is missing or invalid
, which is most likely, because the syncthing has been updated internally and thus was changed as a resource. I hope this makes sense. – Chris – 2015-05-22T12:10:37.457PS: After a few days I now had no more issues with this and accepted this as the answer! Thanks. – Chris – 2015-05-22T12:11:09.243
Yes, @Chris, makes sense. So, if I understand correctly you removed all occurrences of the app from the firewall settings, and then allowed it to accept connections. So, I guess you'll see one occurrence of that app in the firewall now. When you accepted, OS X will have calculated the signature, and I assume that
codesign --verify
will report all is fine today. (You might want to try!) However, as soon as that internal syncthing updates itself, the signature that OS X calculated breaks, so as of that day you'll have to approve (after every reboot?), or clean up the firewall settings... – Arjan – 2015-05-22T12:20:58.1131Yes, that's what I did and expect to happen. However, even though I believe the internal syncthing was updated recently, the OS X firewall didn't bother me again (so far). The firewall actually "knows" that it's the internal executable that asks for permission and doesn't add the wrapper application (who's signature is breaking). The internal executable always has a valid signature (after every update), but I don't know if the OS X firewall checks for changes of signature? In this case also Skype, etc should ask for permissions after every update, though (which they don't as far as I know). – Chris – 2015-05-22T13:26:48.320
BTW, this comment explains how to fix a bad (or old) code signature yourself, even if you don't own an official one from Apple: http://apple.stackexchange.com/a/121010
– SuperTempel – 2016-09-19T12:49:07.023