Mac OS X Application Firewall & code signing

Vine
#1

I often connect over a slow connection via SSH to an older Mac running Vine Server 3.0. I’ve bought Vine Viewer just to do that.

To speed things up, I’ve modified something inside my Vine Viewer.app according to this hint: http://www.testplant.com/phpBB2/viewtopic.php?t=528 - SSH compression works great for me.

However, this seems to break the code signature to Vine Viewer.app, therefore rendering the application suspicious to Leopard’s (and no doubt Snow Leopard’s) Application Firewall. That means, even if I explicitly allow it to accept incoming connections, the firewall won’t let it.
(note - we’re not talking about ipfw - it’s not just a matter of opening ports!)

I suppose I can’t re-sign the code as only the developers can do this. Is there anything I can do?

Can you please include this functionality in the next release?

#2

Actually Vine Viewer is NOT code-signed at this time. So I’m not 100% sure what you are seeing. The Firewall might be complaining if you have the application editable by ALL.

#3

Hello,
thanks for your help. It looks like setting the permissions to everyone=no access may help.

The Application Firewall is now asking whether I want to allow incoming connections for Vine Viewer, and if I confirm, it lets it.

I checked the codesigning again, and it appears even not-code-signed applications differ from apps that have been modified.

testing the untouched app:
admin$ codesign -vvvv /Volumes/Vine3.0/Vine\ Viewer.app
/Volumes/Vine3.0/Vine Viewer.app: code object is not signed

testing the modified app returns this:
admin$ codesign -vvvv /Applications/Vine3.0/Vine\ Viewer.app
/Applications/Vine3.0/Vine Viewer.app: a sealed resource is missing or invalid
/Applications/Vine3.0/Vine Viewer.app/Contents/Resources/ssh_config: resource modified

well, I reckon the firewall thinks this is suspicious enough not to allow it access. not sure what this has to do with permissions.

#4

That is interesting – it might be looking at modification dates and seeing that that file was AFTER the installation of the package as a whole.