Leopard Firewall + Code Signing Breaks Skype (And Other Applications)

By Rich | November 1, 2007

I’m almost done with my deeper review of the firewall, but discovered something ugly in the process of podcasting and firewall testing.

If you enable the firewall in the “Set access for specific services and applications” mode, Leopard digitally signs applications on launch that aren’t already signed via Apple’s mechanism.

If that application happens to change during runtime, as Skype seems to, the signature no longer matches and the application won’t run. There are no dialogs or warnings- the icon just dances on the dock for a few bounces then disappears.

I went to podcast last night and had this happen. Reinstalling it fixed the problem, but then it hit again today. I looked in my console and saw the following:

Nov 1 16:09:34 CrashBook [0x0-0x27027].com.skype.skype[387]: Check 1 failed. Can’t run Skype

Googling that error returns some threads in Skype forums that indicate this is a known issue related to the firewall and code signing.

A reinstall fixes it, but this is, obviously, a bit of a problem.

I’m somewhat surprised this hasn’t made the rounds yet.

16 Comments

n
nasri 2009-06-03
Barry is a funny guy, why not go around his zone. <a >dofus power leveling</a rel="nofollow ugc">
1
10.5.1 firewall and Skype - MacNN Forums 2007-11-16
[...] Originally Posted by analogika&nbsp; Maybe I'm being stupid, but what the hell does keeping the port for Skype open in the firewall by default (by designating Skype an &quot;essential service&quot;) have to do with code signing? Leopard Firewall + Code Signing Breaks Skype (And Other Applications) | securosis.com [...]
M
Mac OS X firewall blocks Skype and online gamers - 2007-11-07
[...] + rand + '?&quot; type=&quot;text/javascript&quot;&gt;x3C/script&gt;'); Mogull traced the issue to the firewall's (application security) code signing features. Leopard signs [...]
M
Marigold.cz &raquo; Co u Leopardu zasmrádlo 2007-11-06
[...] Když opomineme vypnutý firewall, je s firewallem ještě jeden signifikantní problém. Skype. Když si firewall zapnete (System Preferences - Security) a nemáte nastaveno Allow all incoming connections a používáte Skype, dojde za nějakou dobu k nepříjemné události: Skype odmítne fungovat. Na chvíli pomůže reinstalace, po nějaké další blíže nejisté době nepomůže ani ta. Securosis.com [...]
M
Mac OS X firewall blocks Skype and online gamers | 2007-11-06
[...] traced the issue to the firewall&#8217;s (application security) code signing features. Leopard signs [...]
L
Leopard Firewall Takes One Step Forward 2007-11-05
[...] because the application&#8217;s checksum would no longer match the checksum in the signature.) If the application changes itself while running, as Skype does (and as some other applications do too), it won&#8217;t match the signature the next [...]
i
ippimail.com &raquo; Blog Archive &raquo; Leopard 2007-11-05
[...] because the application&#8217;s checksum would no longer match the checksum in the signature.) If the application changes itself while running, as Skype does (and as some other applications do too), it won&#8217;t match the signature the next [...]
A
Apple schlampt bei der Sicherheit 2007-11-05
[...] &#252;ber eine nachl&#228;ssige Standardeinstellung hinaus. Der IT-Sicherheitsberater Rich Mogull beschreibt in seinem Blog, dass eine einmal aktivierte Leopard-Firewall auf dem Mac installierte Programme besch&#228;digen [...]
M
MacMacken &raquo; World of Warcraft mit «Leopard 2007-11-03
[...] startet unter Mac OS X «Leopard» nur einmal, wenn man die «Leopard»-Firewall mit der Konfiguration «Zugriff auf bestimmte Dienste und Programme» festlegen.... Das Problem besteht im Grundsatz darin, dass die «Leopard»-Firewall feststellt, dass sich die [...]
J
Jason 2007-11-02
I posted an entry on my blog regarding this issue yesterday. Apparently, this Leopard firewall also breaks World of Warcraft and prevents it from running properly.
D
David Grob 2007-11-01
It has already made rounds, at least in German Mac forums, German blogs (e.g. MacHackers by the CCC) and in German blogs (e.g. MacMacken, see http://www.macmacken.com/2007/10/27/skype-mit-leopard-macken/).
r
rmogull 2007-11-01
Funny how it hasn't spread more, I'll be shocked if a lot of people haven't been dealing with this for a while.
D
David Grob 2007-11-01
It seems that not all Skype users face the above-described problem, probably depending on the firewall configuration or the way they installed/updated to Mac OS X 10.5. In addition, Skype doesn't seem to be that important for Mac users ...
r
rmogull 2007-11-01
It's only if you use the firewall in application control mode when Skype is launched. Allow all or block all don't have the same effect.
J
Jake 2007-11-01
I've had this problem with either and upgrade or a clean install.
J
John 2007-11-01
Skype obviously has several anti-reversing mechanisms within it, primarily code packing. I wouldn't have thought a packer would break the signing mechanism though, unless it's modifying the file on disk (i dont know why it would?) The other reason, and slghtly more interesting explaination might be that apple is validating the application's signature in memory? This might also stop some code injection tricks that the matasano boys were talking about.