Leopard Firewall + Code Signing Breaks Skype (And Other Applications)

Filed under Apple, Non-Geek by rmogull | 15 comments



I’m almost done with my deeper review of the firewall, but discovered something ugly in the process of podcasting and firewall testing.

If you enable the firewall in the “Set access for specific services and applications” mode, Leopard digitally signs applications on launch that aren’t already signed via Apple’s mechanism.

If that application happens to change during runtime, as Skype seems to, the signature no longer matches and the application won’t run. There are no dialogs or warnings- the icon just dances on the dock for a few bounces then disappears.

I went to podcast last night and had this happen. Reinstalling it fixed the problem, but then it hit again today. I looked in my console and saw the following:

Nov 1 16:09:34 CrashBook [0x0-0x27027].com.skype.skype[387]: Check 1 failed. Can’t run Skype

Googling that error returns some threads in Skype forums that indicate this is a known issue related to the firewall and code signing.

A reinstall fixes it, but this is, obviously, a bit of a problem.

I’m somewhat surprised this hasn’t made the rounds yet,

Posted on November 1

15 comments

  1. David Grob Nov 1

    It has already made rounds, at least in German Mac forums, German blogs (e.g. MacHackers by the CCC) and in German blogs (e.g. MacMacken, see http://www.macmacken.com/2007/10/27/skype-mit-leopard-macken/).

  2. rmogull Nov 1

    Funny how it hasn’t spread more, I’ll be shocked if a lot of people haven’t been dealing with this for a while.

  3. David Grob Nov 1

    It seems that not all Skype users face the above-described problem, probably depending on the firewall configuration or the way they installed/updated to Mac OS X 10.5. In addition, Skype doesn’t seem to be that important for Mac users …

  4. rmogull Nov 1

    It’s only if you use the firewall in application control mode when Skype is launched. Allow all or block all don’t have the same effect.

  5. Jake Nov 1

    I’ve had this problem with either and upgrade or a clean install.

  6. John Nov 2

    Skype obviously has several anti-reversing mechanisms within it, primarily code packing.
    I wouldn’t have thought a packer would break the signing mechanism though, unless it’s modifying the file on disk (i dont know why it would?) The other reason, and slghtly more interesting explaination might be that apple is validating the application’s signature in memory? This might also stop some code injection tricks that the matasano boys were talking about.

  7. Jason Nov 2

    I posted an entry on my blog regarding this issue yesterday. Apparently, this Leopard firewall also breaks World of Warcraft and prevents it from running properly.

  1. MacMacken » World of Warcraft mit «Leopard»-Macken à la Skype
  2. Leopard Firewall Takes One Step Forward, Three Steps Back
  3. ippimail.com » Blog Archive » Leopard Firewall Takes One Step Forward, Three Steps Back
  4. Apple schlampt bei der Sicherheit
  5. Marigold.cz » Co u Leopardu zasmrádlo
  6. Mac OS X firewall blocks Skype and online gamers | bigz.blowbank.com
  7. Mac OS X firewall blocks Skype and online gamers - Computer Forums
  8. 10.5.1 firewall and Skype - MacNN Forums

Leave a reply

Related Posts

First Leopard Update Is Out- Some Of Firewall Fixed; Skype Works
Investigating the Leopard Firewall
TidBITS Article on Leopard Up