pretty good answer - I found that default setting you mentioned, but it's not satisfactory as all incoming connections will be enabled automatically this way, but I guess that's the only option – Chris – 2015-05-09T16:42:18.070

1

@Chris, if you're (rightfully so) concerned about signed applications being allowed to accept incoming connections, then please note that the OS X firewall only filters incoming connections. It allows all outgoing connections, so from a security point of view I'd say that any other firewall is preferred over the OS X one. (But some disagree about that, while others disagree with those who disagree...)

So, @Chris, any results for the signature check? And on removing the application from the firewall settings to see if "Allow" sticks after that (maybe until the next update...)? – Arjan – 2015-05-09T17:35:09.997

thanks for the hints - I am in fact using LittleSnitch to have a better firewall for the reasons you explained, but still have the OS X firewall enabled - I will test removing it from there and see if that does anything

I realised that syncthing was present multiple times inside the OS X Firewall settings. I removed all of them and restarted the application. I am waiting to see if the constant nagging has now stopped :) – Chris – 2015-05-18T10:46:45.443

Ah, nice, @Chris. Did you ever run the codesign --verify command? – Arjan – 2015-05-18T11:19:19.327

Yes, I did try it - with mixed results. For this to make sense you need to know that I compiled a syncthing.app myself, which contains and manages another syncthing executable, which I do not compile and is periodically updated by itself. The signature for the internal syncthing appears valid, but the compile syncthing.app reports a sealed resource is missing or invalid, which is most likely, because the syncthing has been updated internally and thus was changed as a resource. I hope this makes sense. – Chris – 2015-05-22T12:10:37.457

PS: After a few days I now had no more issues with this and accepted this as the answer! Thanks. – Chris – 2015-05-22T12:11:09.243

Yes, @Chris, makes sense. So, if I understand correctly you removed all occurrences of the app from the firewall settings, and then allowed it to accept connections. So, I guess you'll see one occurrence of that app in the firewall now. When you accepted, OS X will have calculated the signature, and I assume that codesign --verify will report all is fine today. (You might want to try!) However, as soon as that internal syncthing updates itself, the signature that OS X calculated breaks, so as of that day you'll have to approve (after every reboot?), or clean up the firewall settings... – Arjan – 2015-05-22T12:20:58.113

1Yes, that's what I did and expect to happen. However, even though I believe the internal syncthing was updated recently, the OS X firewall didn't bother me again (so far). The firewall actually "knows" that it's the internal executable that asks for permission and doesn't add the wrapper application (who's signature is breaking). The internal executable always has a valid signature (after every update), but I don't know if the OS X firewall checks for changes of signature? In this case also Skype, etc should ask for permissions after every update, though (which they don't as far as I know). – Chris – 2015-05-22T13:26:48.320

BTW, this comment explains how to fix a bad (or old) code signature yourself, even if you don't own an official one from Apple: http://apple.stackexchange.com/a/121010