20

I am using Syncthing, which is an application to sync files between two or more computers. I believe Syncthing (on github) needs to be allowed to Accept incoming network connections to work properly.

Mac OS X has a build-in firewall, which constantly asks me, if I want to allow syncthing to accept incoming network connections in form of a pop-up window. Usually, this only is asked once for an application, but for some reason this pop-up appears at least 4 times a day.

It might be related to an automated update functionality that results in a new binary showing up once in a while (similar to what Google Chrome does). However, the update frequency of this application is much lower compared to the amount of pop-ups I am receiving.

Any idea what I could do to make Mac OS X stop asking me this question for a specific application or is there just no way around it?

It would be great if there was also a default choice that would be made in case I am away from the machine. Any idea how this could be accomplished - without turning the firewall off?

Chris
  • 1,208
  • 3
  • 13
  • 19

2 Answers2

13

This might be caused by a missing or wrong digital signature. Like Apple explains:

If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose Allow, OS X signs the application and automatically adds it to the firewall list.

[...]

Some apps check their own integrity when they are opened without using code signing. If the firewall recognizes such an app it doesn't sign it. Instead, it the "Allow or Deny" dialog appears every time the app is opened. This can be avoided by upgrading to a version of the app that is signed by its developer.

This dialog might also be shown every time if the application is signed, but the signature of the application itself is broken, like even for iTunes.

You can check the signature by running the following command in Terminal (I am not sure about your application's name here):

codesign --verify -vv /Applications/Syncthing.app/

Alternatively, maybe remove the application in the firewall settings, and then see if accepting once more is enough to stop OS X prompting you? Or maybe explicitly add it through those settings?

And as for the default: make sure the option "Automatically allow signed software to receive incoming connections" is enabled:

Community
  • 1
Arjan
  • 30,974
  • 14
  • 75
  • 112
  • pretty good answer - I found that default setting you mentioned, but it's not satisfactory as **all** incoming connections will be enabled automatically this way, but I guess that's the only option – Chris May 09 '15 at 16:42
  • 1
    @Chris, if you're (rightfully so) concerned about signed applications being allowed to accept incoming connections, then please note that the OS X firewall only filters *incoming* connections. It allows *all* outgoing connections, so from a security point of view I'd say that any other firewall is preferred over the OS X one. (But [some disagree about that](http://www.howtogeek.com/172349/why-you-dont-need-an-outbound-firewall-on-your-laptop-or-desktop-pc/), while others [disagree with those who disagree](http://www.intego.com/mac-security-blog/why-you-need-an-outbound-firewall/)...) – Arjan May 09 '15 at 17:32
  • So, @Chris, any results for the signature check? And on removing the application from the firewall settings to see if "Allow" sticks after that (maybe until the next update...)? – Arjan May 09 '15 at 17:35
  • thanks for the hints - I am in fact using [LittleSnitch](https://www.obdev.at/products/littlesnitch/index.html) to have a better firewall for the reasons you explained, but still have the OS X firewall enabled - I will test removing it from there and see if that does anything – Chris May 13 '15 at 16:01
  • I realised that `syncthing` was present **multiple times** inside the OS X Firewall settings. I removed all of them and restarted the application. I am waiting to see if the constant nagging has now stopped :) – Chris May 18 '15 at 10:46
  • Ah, nice, @Chris. Did you ever run the `codesign --verify` command? – Arjan May 18 '15 at 11:19
  • Yes, I did try it - with mixed results. For this to make sense you need to know that I compiled a *syncthing.app* myself, which contains and manages another *syncthing* executable, which I do not compile and is periodically updated by itself. The signature for the _internal_ *syncthing* appears valid, but the compile *syncthing.app* reports `a sealed resource is missing or invalid`, which is most likely, because the *syncthing* has been updated internally and thus was changed as a resource. I hope this makes sense. – Chris May 22 '15 at 12:10
  • PS: After a few days I now had no more issues with this and accepted this as the answer! Thanks. – Chris May 22 '15 at 12:11
  • Yes, @Chris, makes sense. So, if I understand correctly you removed all occurrences of the app from the firewall settings, and then allowed it to accept connections. So, I guess you'll see *one* occurrence of that app in the firewall now. When you accepted, OS X will have calculated the signature, and I assume that `codesign --verify` will report all is fine today. (You might want to try!) However, as soon as that *internal syncthing* updates itself, the signature that OS X calculated breaks, so as of that day you'll have to approve (after every reboot?), or clean up the firewall settings... – Arjan May 22 '15 at 12:20
  • 1
    Yes, that's what I did and expect to happen. However, even though I believe the internal *syncthing* was updated recently, the OS X firewall didn't bother me again (so far). The firewall actually "knows" that it's the internal executable that asks for permission and doesn't add the wrapper application (who's signature is breaking). The internal executable always has a valid signature (after every update), but I don't know if the OS X firewall checks for changes of signature? In this case also Skype, etc should ask for permissions after every update, though (which they don't as far as I know). – Chris May 22 '15 at 13:26
  • BTW, this comment explains how to fix a bad (or old) code signature yourself, even if you don't own an official one from Apple: http://apple.stackexchange.com/a/121010 – SuperTempel Sep 19 '16 at 12:49
6

This instruction permanently disables this annoying pop-up and the solution is applicable to all apps missing or having a wrong digital signature.

In short:

sudo codesign --force --deep --sign - path-to-the-app.app
Robbotnik
  • 161
  • 1
  • 2
  • 2
    Signing the app seems to be good way to make this popup disapear for app without a signature. However the above command does not seem to work for me. I never signed an app. Is there some key to generate first? or config to setup? I am typically getting ```error: The specified item could not be found in the keychain```. – Pierre-Antoine Apr 24 '20 at 21:19
  • @Pierre-Antoine you will need to generate your key, [this answer](https://apple.stackexchange.com/a/121010/235345) does a good job of covering how to do so (while talking about the same solution) – skplunkerin May 13 '21 at 21:10
  • @Pierre-Antoine I still had the popup after doing this to the executable. What fixed it for me was after forcing the code signing process, removing that executable from the Firewall's list of whitelisted applications. Once I removed the old entry I never saw another popup for the app. – AlbertEngelB May 14 '21 at 19:53
  • note that the syntax is a bit weird. the complete syntax for say Golang would be `sudo codesign --force --deep --sign - /Applications/GoLand.app` – Yar Sep 16 '21 at 05:20