Do you want the application to accept incoming network connections?

Posted on by Daniel Silva

I learned something about the Mac OS X Firewall that can be annoying this past weekend. If an application is not properly signed, or the application has changed since last being properly signed, then you have to repeatedly give it permissions to access network resources.

You see it all over the internet, mostly related to iTunes or Safari. I had it happen to me this weekend with another application.

Here’s my attempt sorting out the options, what I recommend and what’s going on behind the scenes.

There are two things you can do if this happens to you:

  1. Uninstall and reinstall the application.
  2. Sign the application yourself.

The first option was tempting, but I didn’t want to do this for three reasons: the application is gigabytes in size (would take a while), I had made customizations that would require a bit of time to re-add, and I’m not really solving a problem here, just skirting it. It could come back, and uninstalling/reinstalling is not an adequate solution.

The second option sounds scary, but it’s actually very easy. I will outline how to do the second option in simple steps.

Disclaimer: Signing an application yourself will make an application appear more secure to the operating system, when in reality it isn’t. Only sign applications that you are 100% sure are not spyware or otherwise malicious. If you have any doubts, just uninstall/reinstall.

 
Step 1: Validate the problem is a code signing problem

Open up Terminal, and type the following command:

1
codesign -vvv /Path/To/App

The result I was getting with the problematic app was:

1
2
App: a sealed resource is missing or invalid
/Path/To/App/Contents/Resources/Renderer.nib: resource missing

OK, so this is why my Firewall doesn’t trust it. It is signed, but it has changed in some way since the signature was made. This is a good thing, generally speaking. I only wish Mac OS X gave me an easy way to say, “trust it anyway,” as I know in this case the resource in question isn’t missing but was simply renamed and the developer forgot to resign the app. Mac OS X does not give me this option.

 
Step 2: Create a Signing Identity

The solution I’m going for – signing the app myself – requires that I create a Signing Identity, also known as Signing Certificate. This is very easy to do:

  1. Open Applications > Utilities > Keychain Access.
  2. From the Keychain Access menu, choose Certificate Assistant > Create a Certificate.
  3. Fill in a name for the certificate. This name appears in the Keychain Access utility as the name of the certificate. This is also the name you will use when referencing this certificate. Personally, I used the name, “My Signing Identity.”
  4. Choose Self Signed Root from the Type popup menu.
  5. Check the Let me override defaults checkbox.
  6. If you can at this point, choose Code Signing from the Certificate Type menu.
  7. Click Continue.
  8. Specify a serial number for the certificate. Any number will do as long as you have no other certificate with the same name and serial number.
  9. If you can at this point, choose Code Signing from the Certificate Type menu.
  10. Click Continue.
  11. Fill in the information for the certificate. You can use real or fake data, I used real data personally.
  12. Click Continue.
  13. Accept the defaults for the rest of the dialogs.

Once completed, you will see your certificate in Keychain Access. Verify the name you picked, and you’re done with this step. Well done!

 
Step 3: Resign your application

Now you have to sign your application. To do this, open up Terminal again and use the following command:

1
codesign -s "My Signing Identity" -f /Path/To/App

The -s switch tells codesign you want to sign an application, and the -f switch tells codesign you want to force the signature, even if a signature already exists. “My Signing Identity” is the name of the certificate I created in the previous step in this process. Plug in the proper identity name (in quotes if there are spaces in the name, as there was in mine) and path to the problematic application.

If the command runs without error, you’re good to go.

Now, go ahead and validate by repeating Step 1 of this process. Type the following command in Terminal:

1
codesign -vvv /Path/To/App

The result you should get this time is:

1
2
App: valid on disk
App: satisfies its Designated Requirement

This is good.

 
Step 4: Re-add the Application to the Firewall’s Exceptions

You can do it either explicitly through the Security preferences pane in the System Preferences area, or you can just let the operating system prompt you: Do you want the application to accept incoming network connections? Either way, once you’ve given it access, Mac OS X will not ask you again. This was what I was going after.
 

 
In summary: If you’re having this problem, you can always sign the app yourself. This is risky business, so if you’re not 100% sure the application is safe, don’t do this; you’re better off uninstalling and reinstalling. But if uninstalling and reinstalling is prohibitive and you know the application is safe, you can use this method to get rid of the pesky, repetitive prompt by the operating system.

Further reading, for extra credit:

Related posts:

  1. How to open a Mac OS X application with command line arguments
  2. You have not chosen to trust “GeoTrust DV SSL CA”
  3. How to burn an ISO to a USB drive on Mac OS X
  • http://rhftech.com Richard

    Very nice writeup. Like your solution.

    I think there is a typo in the headline, “Step 2: Create a ‘Singing’ Identity”. I would guess the word you meant is “Signing”.

  • http://silvanolte.com Daniel Silva

    Yeah, that was a typo. Thank you for pointing it out.

  • BlackMacX

    I have tried this; but it’s not worked at all for me. I was able to everything; but I did get an error (I can’t remember it at the moment) during the resigning of the application. iTunes still asks me everytime I launch it whether I will allow it to accept or deny it access to incoming network traffic. I have rebooted my iMac, removed and re-installed iTunes (10.2.2) and all to no avail. I have removed iTunes from the Firewall tab of the Security Prefpane; I have turned off and then on my firewall, re-added iTunes and as noted, all to no avail.

    The hint is great and worked for another app; but not iTunes… Oh well, any insight would be nice.

  • http://twitter.com/sirdanielsilva Daniel Silva

    I’d like to help. To start, tell me what the console responds with when you type:

    codesign -vvv /Applications/iTunes.app

    The path above to iTunes may not be the same on your computer. Adjust accordingly. We can go from there.

  • BlackMacX

    Hi Daniel,

    Thanks for offering to help; here is the exact output from my Terminal to the noted command:

    Last login: Fri Jun 10 11:48:26 on ttys000
    ***********-iMac:~ ******$ codesign -vvv /Applications/iTunes.app
    /Applications/iTunes.app: a sealed resource is missing or invalid
    /Applications/iTunes.app/Contents/Resources/English.lproj/iPodSettings.nib/objects.xib: resource added
    /Applications/iTunes.app/Contents/Resources/English.lproj/MusicStoreBar.nib/objects.xib: resource added
    /Applications/iTunes.app/Contents/Resources/English.lproj/PartyShuffleSettings.nib/objects.xib: resource added
    /Applications/iTunes.app/Contents/Resources/English.lproj/Placards.nib/objects.xib: resource added
    /Applications/iTunes.app/Contents/Resources/English.lproj/Ringtone.nib/objects.xib: resource added
    /Applications/iTunes.app/Contents/Resources/English.lproj/SetupAssistant.nib/objects.xib: resource added
    /Applications/iTunes.app/Contents/Resources/iTunes-device.icns: resource added
    /Applications/iTunes.app/Contents/Resources/iTunes-itb.icns: resource added
    ***********-iMac:~ ******$

    Ironically, though iTunes asks me everytime I start it up to allow it to accept incoming access, if I don’t permit it, it still accepts incoming traffic… Interesting.

  • http://dgimpel.myopenid.com/ dgg

    Hi Daniel – Thanks sharing your nicely documented solution. I’ve had this issue for quite some time now with iTunes but I’ve been too lazy to really do anything about it. When I recently started getting the warning upon starting Eclipse, I thought I’d try to figure out a workaround. Here’s what happens when I try to sign the iTunes app (which I thought I’d sign before doing so on Eclipse):
    iTunes.app: replacing existing signature
    codesign_allocate: can’t create output file: /Applications/iTunes.app/Contents/MacOS/iTunes.cstemp (Permission denied)
    iTunes.app: object file format invalid or unsuitable

  • http://twitter.com/sirdanielsilva Daniel Silva

    Sounds like a permissions issue is preventing you from properly signing. You could introspect the iTunes.app package, but an easier choice would be to just repair permissions using Disk Utility (found in /Applications/Utilities folder). Once you run Disk Utility, click on your drive on the left (if you have more than one choice, choose the one that has the /Applications/iTunes.app package), then click the First Aid tab and then click the “Repair Disk Permissions” button. Let it do its thing, then try to sign iTunes again.

    I’m a Java developer myself but I don’t use Eclipse. Too heavy. I use TextMate as a make-shift IDE (more like a text editor) and use its built-in bundles for compilation. I have also written bundles to do stuff like maven builds and Java/Groovy script executions. But the ones out there are probably better than mine. I should blog about that soon.

  • http://twitter.com/sirdanielsilva Daniel Silva

    Sounds like a permissions issue is preventing you from properly signing. You could introspect the iTunes.app package, but an easier choice would be to just repair permissions using Disk Utility (found in /Applications/Utilities folder). Once you run Disk Utility, click on your drive on the left (if you have more than one choice, choose the one that has the /Applications/iTunes.app package), then click the First Aid tab and then click the “Repair Disk Permissions” button. Let it do its thing, then try to sign iTunes again.

    I’m a Java developer myself but I don’t use Eclipse. Too heavy. I use TextMate as a make-shift IDE (more like a text editor) and use its built-in bundles for compilation. I have also written bundles to do stuff like maven builds and Java/Groovy script executions. But the ones out there are probably better than mine. I should blog about that soon.

  • http://twitter.com/sirdanielsilva Daniel Silva

    Apologies for getting back to late to you. OK, all that output looks pretty good. Try to resign the application and report back exactly what you get. Also, look at my comment below to dgg. You may be having a permissions related issue, in which case repairing permissions can only help. Check out the steps on how to do that below. Cheers.

  • http://twitter.com/sirdanielsilva Daniel Silva

    Apologies for getting back to late to you. OK, all that output looks pretty good. Try to resign the application and report back exactly what you get. Also, look at my comment below to dgg. You may be having a permissions related issue, in which case repairing permissions can only help. Check out the steps on how to do that below. Cheers.

  • Pingback: Need to write more, better | The λ♥[love] Blog

  • http://www.shedosurashu.com/ Shedo Chung-Hee Surashu

    I have this issue and I’m having trouble re-siigning the app (iTunes). it keeps on giving me permission denied on the Terminal.

  • http://twitter.com/sirdanielsilva Daniel Silva

    Are you using an Administrator account? You can try adding “sudo ” as a prefix to any command in Terminal, e.g. sudo codesign…, just type in your password at the prompt.

  • http://www.shedosurashu.com/ Shedo Chung-Hee Surashu

    Okay, I tried using SUDO but for some reason when it prompts me for my password, I can’t type it. See this screenshot:

    http://screencast.com/t/HbovsimP9

  • Chris Sederqvist

    You don’t see what you type when you use sudo! It’s not echo’ed back to the terminal.
    Just type the password and hit Enter…

  • Chris Sederqvist

    Very nice! I’ve been plagued by this popping up every time I start Maya. Finally I can have peace in my mind.

  • Gary

    Thanks for posting this. Tried everything to stop Growl asking to accept incoming network connections, to no avail. This worked a treat and has given me some sanity back!!

  • http://twitter.com/sirdanielsilva Daniel Silva

    No problem, happy to help!

  • Mw

    I did the exact steps as well for Growl. The terminal output was exactly as you have listed above, however the Growl app still prompts me to accept incoming connections!

  • Mw

    Seems to work now. I cleared out the old growl that was in firewall list. Restarted, was prompted to accept or deny incoming connections, accepted them. Restarted again, and no pop up asking me this time.

  • http://twitter.com/sirdanielsilva Daniel Silva

    Good to know. I was thinking it was a bug in OS X Lion because I was noticing this behavior too with other applications. I just tried clearing it and just letting the system prompt me, that worked. Good stuff, thanks Mw!

  • Pär Svensson

    Great! Thank you.

  • Keevil

    Thank you very much, this has been very helpful. And solve a somewhat annoying issue.

  • http://pulse.yahoo.com/_6FN6HPENU7BJWABWCWFM3CDYDQ MikeD

    Worked perfectly for Growl on OS X Lion, the pop up drove me crazy every time I logged in. Thanks!

  • Percy

    I feel like such a noob for posting this, but when I type codesign -vvv /path/to/growl.app it tells me no such file or directory exists…

    I didn’t even get as far code signing.

  • http://twitter.com/danielsweb Daniel Silva

    The expression ‘/path/to/growl.app’ is not a literal one. The ‘/path/to’ portion is relative to where it is installed on your machine. For example, for Growl, it may be ‘/Applications/Growl.app’

    Hope this helps.

  • Percy

    Daniel, you’re awesome, and you just made my day! Thank you very much!

  • http://twitter.com/danielsweb Daniel Silva

    You’re most welcome!